廢話不說直接進入主題(假設您已對spring security、oauth2、jwt技術的了解,不懂的自行搜索了解)
依賴版本
- springboot 2.1.5.RELEASE
- spring-security-oauth2 2.3.5.RELEASE
- jjwt 0.9.1
新增JWTokenConfig
@Configuration
public class JWTokenConfig {
@Bean
public TokenStore jwtTokenStore() {
return new JwtTokenStore(jwtAccessTokenConverter());
}
@Bean
public JwtAccessTokenConverter jwtAccessTokenConverter() {
JwtAccessTokenConverter accessTokenConverter = new JwtAccessTokenConverter();
accessTokenConverter.setSigningKey("entfrm"); //對稱加密key
return accessTokenConverter;
}
@Bean
public TokenEnhancer tokenEnhancer() {
return new JWTTokenEnhancer(); // token增強
}
}
JwtAccessTokenConverter:TokenEnhancer的子類,幫助程序在JWT編碼的令牌值和OAuth身份驗證信息之間進行轉換。
此處定義token 簽名的方式,采用對稱加密方式。
增加JwtTokenEnhancer類
public class JWTTokenEnhancer implements TokenEnhancer {
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken oAuth2AccessToken, OAuth2Authentication oAuth2Authentication) {
Map<String, Object> info = new HashMap<>();
info.put("license", "entfrm");
((DefaultOAuth2AccessToken) oAuth2AccessToken).setAdditionalInformation(info);
//設置token的過期時間120分鍾
Calendar nowTime = Calendar.getInstance();
nowTime.add(Calendar.MINUTE, 120);
((DefaultOAuth2AccessToken) oAuth2AccessToken).setExpiration(nowTime.getTime());
return oAuth2AccessToken;
}
}
重寫TokenEnhancer的enhance方法,根據個人需求實現關鍵字段注入到 JWT 中,方便資源服務器使用。在此處也可以定義token過期時間。
新增AuthorizationServerConfig類,繼承AuthorizationServerConfigurerAdapter
@Configuration
@AllArgsConstructor
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
private final AuthenticationManager authenticationManager;
private final EntfrmUserDetailService userDetailService;
private final TokenStore jwtTokenStore;
private final JwtAccessTokenConverter jwtAccessTokenConverter;
private final TokenEnhancer tokenEnhancer;
private final DataSource dataSource;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
TokenEnhancerChain enhancerChain = new TokenEnhancerChain();
List<TokenEnhancer> enhancers = new ArrayList<>();
enhancers.add(tokenEnhancer);
enhancers.add(jwtAccessTokenConverter);
enhancerChain.setTokenEnhancers(enhancers);
endpoints.authenticationManager(authenticationManager)
.tokenStore(jwtTokenStore)
.tokenEnhancer(enhancerChain)
.accessTokenConverter(jwtAccessTokenConverter)
.userDetailsService(userDetailService)
.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);//允許 GET、POST 請求獲取 token,即訪問端點:oauth/token
endpoints.reuseRefreshTokens(true);//oauth2登錄異常處理
endpoints.exceptionTranslator(new EntfrmWebResponseExceptionTranslator());//oauth2登錄異常處理
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer
.checkTokenAccess("isAuthenticated()")
.allowFormAuthenticationForClients();//允許表單認證
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientDetails());
}
@Bean
public ClientDetailsService clientDetails() {
return new JdbcClientDetailsService(dataSource);//客戶端配置 使用jdbc數據庫存儲
}
}
endpoints的tokenEnhancer方法需要我們提供一個token增強器鏈對象TokenEnhancerChain,所以我們需要在鏈中加入我們重寫的TokenEnhancer和jwtAccessTokenConverter,然后放入endpoints。同時我們將客戶端配置放到了jdbc數據庫中,方便多種客戶端的擴展,這兒需要在數據庫中創建一張表oauth_client_details,表sql腳本如下:
CREATE TABLE `oauth_client_details` (
`client_id` varchar(48) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL,
`resource_ids` varchar(256) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`client_secret` varchar(256) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`scope` varchar(256) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`authorized_grant_types` varchar(256) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`web_server_redirect_uri` varchar(256) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`authorities` varchar(256) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`access_token_validity` int(11) NULL DEFAULT NULL,
`refresh_token_validity` int(11) NULL DEFAULT NULL,
`additional_information` varchar(4096) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
`autoapprove` varchar(256) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
PRIMARY KEY (`client_id`) USING BTREE
) ENGINE = InnoDB CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Dynamic;
以上就是OAuth 授權服務器配置。
啟動項目 查看效果
從圖中我們可以看到返回的token中攜帶了我們加入的擴展信息license,以及授權信息。
源碼地址
下載源碼 關注我