spring-security-oauth2 中 @EnableAuthorizationServer 使用数据库存储授权码,令牌等信息

前面的文章,大家可能都注意到了,有一个问题。那就是 oauth_client 和 oauth_client_secret 都是写死的。在微信和 QQ 开发者授权登录的后台,没新注册一个应用,只需要做简单的配置一下即可。如果写死了,那么新来的应用怎么办?该配置吗?不现实吧。

所以在 spring-security-oauth2 中有一个 ClientDetailsServiceConfigurer,我们可以借助它设置一个数据源。把授权码,令牌,客户端信息等存入数据库。像我们上一章中用的 InMemory,应用已重启,就无法用了。

整个代码该动非常小,只需要在 OAuthAuthorizationConfig 中重写部分方法即可。

@Configuration  
@EnableAuthorizationServer  
static class OAuthAuthorizationConfig extends AuthorizationServerConfigurerAdapter {  
    @Autowired  
    private Environment env;
    @Bean  
    public DataSource dataSource() {  
        final DriverManagerDataSource dataSource = new DriverManagerDataSource();  
        dataSource.setDriverClassName(env.getProperty("spring.datasource.driver-class-name"));  
        dataSource.setUrl(env.getProperty("spring.datasource.url"));  
        dataSource.setUsername(env.getProperty("spring.datasource.username"));  
        dataSource.setPassword(env.getProperty("spring.datasource.password"));  
        return dataSource;  
    }  
    @Bean  
    public ApprovalStore approvalStore() {  
        return new JdbcApprovalStore(dataSource());  
    }  
    @Bean  
    protected AuthorizationCodeServices authorizationCodeServices() {  
        return new JdbcAuthorizationCodeServices(dataSource());  
    }  
    @Bean  
    public TokenStore tokenStore() {  
        return new JdbcTokenStore(dataSource());  
    }  
    @Override  
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {  
        clients.jdbc(dataSource()); // oauth_client_details  
    }  
    @Override  
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {  
        endpoints.approvalStore(approvalStore()) // oauth_approvals  
         .authorizationCodeServices(authorizationCodeServices())    // oauth_code  
         .tokenStore(tokenStore()); // oauth_access_token & oauth_refresh_token  
    }  
}  

pom.xml 中引入数据库驱动配置:

<dependency>
    <groupId>mysql</groupId>
    <artifactId>mysql-connector-java</artifactId>
</dependency>
<dependency>  
    <groupId>org.springframework</groupId>  
    <artifactId>spring-jdbc</artifactId>  
</dependency>

application.yml 中的配置如下:

spring:
    datasource:
        host: 127.0.0.1
        port: 3306
        dbname: xttblog
        username: xttblog
        password: xttblog
        url: jdbc:mysql://${spring.datasource.host}:${spring.datasource.port}/${spring.datasource.dbname}?useUnicode=true&characterEncoding=UTF-8&useSSL=false
        initialSize: 1
        minIdle: 1
        maxActive: 4
        maxWait: 60000

有数据库就有数据表,这里总共涉及到 6 张表。SQL 如下:

CREATE TABLE oauth_access_token  
(  
  token_id character varying(256), -- MD5加密的access_token的值  
  token bytea, -- OAuth2AccessToken.java对象序列化后的二进制数据  
  authentication_id character varying(256), -- MD5加密过的username,client_id,scope  
  user_name character varying(256), -- 登录的用户名  
  client_id character varying(256), -- 客户端ID  
  authentication bytea, -- OAuth2Authentication.java对象序列化后的二进制数据  
  refresh_token character varying(256) -- MD5加密果的refresh_token的值  
);  
COMMENT ON COLUMN oauth_access_token.token_id IS 'MD5加密的access_token的值';  
COMMENT ON COLUMN oauth_access_token.token IS 'OAuth2AccessToken.java对象序列化后的二进制数据';  
COMMENT ON COLUMN oauth_access_token.authentication_id IS 'MD5加密过的username,client_id,scope';  
COMMENT ON COLUMN oauth_access_token.user_name IS '登录的用户名';  
COMMENT ON COLUMN oauth_access_token.client_id IS '客户端ID';  
COMMENT ON COLUMN oauth_access_token.authentication IS 'OAuth2Authentication.java对象序列化后的二进制数据';  
COMMENT ON COLUMN oauth_access_token.refresh_token IS 'MD5加密果的refresh_token的值';  
  
CREATE TABLE oauth_approvals  
(  
  userid character varying(256), -- 登录的用户名  
  clientid character varying(256), -- 客户端ID  
  scope character varying(256), -- 申请的权限  
  status character varying(10), -- 状态(Approve或Deny)  
  expiresat timestamp without time zone, -- 过期时间  
  lastmodifiedat timestamp without time zone -- 最终修改时间  
);  
COMMENT ON COLUMN oauth_approvals.userid IS '登录的用户名';  
COMMENT ON COLUMN oauth_approvals.clientid IS '客户端ID';  
COMMENT ON COLUMN oauth_approvals.scope IS '申请的权限';  
COMMENT ON COLUMN oauth_approvals.status IS '状态(Approve或Deny)';  
COMMENT ON COLUMN oauth_approvals.expiresat IS '过期时间';  
COMMENT ON COLUMN oauth_approvals.lastmodifiedat IS '最终修改时间';  
  
CREATE TABLE oauth_client_details  
(  
  client_id character varying(256) NOT NULL, -- 客户端ID  
  resource_ids character varying(256), -- 资源ID集合,多个资源时用逗号(,)分隔  
  client_secret character varying(256), -- 客户端密匙  
  scope character varying(256), -- 客户端申请的权限范围  
  authorized_grant_types character varying(256), -- 客户端支持的grant_type  
  web_server_redirect_uri character varying(256), -- 重定向URI  
  authorities character varying(256), -- 客户端所拥有的Spring Security的权限值,多个用逗号(,)分隔  
  access_token_validity integer, -- 访问令牌有效时间值(单位:秒)  
  refresh_token_validity integer, -- 更新令牌有效时间值(单位:秒)  
  additional_information character varying(4096), -- 预留字段  
  autoapprove character varying(256), -- 用户是否自动Approval操作  
  CONSTRAINT oauth_client_details_pkey PRIMARY KEY (client_id)  
);  
COMMENT ON COLUMN oauth_client_details.client_id IS '客户端ID';  
COMMENT ON COLUMN oauth_client_details.resource_ids IS '资源ID集合,多个资源时用逗号(,)分隔';  
COMMENT ON COLUMN oauth_client_details.client_secret IS '客户端密匙';  
COMMENT ON COLUMN oauth_client_details.scope IS '客户端申请的权限范围';  
COMMENT ON COLUMN oauth_client_details.authorized_grant_types IS '客户端支持的grant_type';  
COMMENT ON COLUMN oauth_client_details.web_server_redirect_uri IS '重定向URI';  
COMMENT ON COLUMN oauth_client_details.authorities IS '客户端所拥有的Spring Security的权限值,多个用逗号(,)分隔';  
COMMENT ON COLUMN oauth_client_details.access_token_validity IS '访问令牌有效时间值(单位:秒)';  
COMMENT ON COLUMN oauth_client_details.refresh_token_validity IS '更新令牌有效时间值(单位:秒)';  
COMMENT ON COLUMN oauth_client_details.additional_information IS '预留字段';  
COMMENT ON COLUMN oauth_client_details.autoapprove IS '用户是否自动Approval操作';  
  
CREATE TABLE oauth_client_token  
(  
  token_id character varying(256), -- MD5加密的access_token值  
  token bytea, -- OAuth2AccessToken.java对象序列化后的二进制数据  
  authentication_id character varying(256), -- MD5加密过的username,client_id,scope  
  user_name character varying(256), -- 登录的用户名  
  client_id character varying(256) -- 客户端ID  
);  
COMMENT ON COLUMN oauth_client_token.token_id IS 'MD5加密的access_token值';  
COMMENT ON COLUMN oauth_client_token.token IS 'OAuth2AccessToken.java对象序列化后的二进制数据';  
COMMENT ON COLUMN oauth_client_token.authentication_id IS 'MD5加密过的username,client_id,scope';  
COMMENT ON COLUMN oauth_client_token.user_name IS '登录的用户名';  
COMMENT ON COLUMN oauth_client_token.client_id IS '客户端ID';  
  
CREATE TABLE oauth_code  
(  
  code character varying(256), -- 授权码(未加密)  
  authentication bytea -- AuthorizationRequestHolder.java对象序列化后的二进制数据  
);  
COMMENT ON COLUMN oauth_code.code IS '授权码(未加密)';  
COMMENT ON COLUMN oauth_code.authentication IS 'AuthorizationRequestHolder.java对象序列化后的二进制数据';  
  
CREATE TABLE oauth_refresh_token  
(  
  token_id character varying(256), -- MD5加密过的refresh_token的值  
  token bytea, -- OAuth2RefreshToken.java对象序列化后的二进制数据  
  authentication bytea -- OAuth2Authentication.java对象序列化后的二进制数据  
);  
COMMENT ON COLUMN oauth_refresh_token.token_id IS 'MD5加密过的refresh_token的值';  
COMMENT ON COLUMN oauth_refresh_token.token IS 'OAuth2RefreshToken.java对象序列化后的二进制数据';  
COMMENT ON COLUMN oauth_refresh_token.authentication IS 'OAuth2Authentication.java对象序列化后的二进制数据';  

解释如下:

  • oauth_access_token:访问令牌
  • oauth_refresh_token:更新令牌
  • oauth_client_details:客户端信息
  • oauth_code:授权码
  • oauth_approvals:授权记录
  • oauth_client_token:这张表比较特殊,不用于 Provider,是客户端用的

我们先手动插入一条数据,就可以测试我们的授权功能了。

INSERT INTO oauth_client_details(client_id, resource_ids, client_secret, scope, authorized_grant_types, web_server_redirect_uri, authorities, access_token_validity, refresh_token_validity, additional_information, autoapprove)  
    VALUES ('oauth_client', null, 'oauth_client_secret', 'read,write', 'authorization_code,refresh_token', 'http://www.xttblog.com', 'ROLE_USER', 1800, 86400, null, false);

参考资料

  • https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql

spring-security-oauth2 中 @EnableAuthorizationServer 使用数据库存储授权码,令牌等信息

: » spring-security-oauth2 中 @EnableAuthorizationServer 使用数据库存储授权码,令牌等信息

原创文章,作者:carmelaweatherly,如若转载,请注明出处:https://blog.ytso.com/252762.html

(0)
上一篇 2022年5月4日
下一篇 2022年5月4日

相关推荐

发表回复

登录后才能评论