(10) using Oauth2

If third-party applications and the open platform need to obtain user privacy data (such as goods, orders), for the sake of security and privacy, third-party applications need to obtain the user's authorization, that is, access to user data authorization token Accesstoken. In this case, the third-party app needs to guide the user through the process of "login authorization" for the account.

EasyOpen supports OAUTH2 certification starting from version 1.2.0. Access is simple: Create a new Oauth2managerimpl class that implements the Openuser interface for the Oauth2manager interface user class.

@Service public
class Oauth2managerimpl implements Oauth2manager {
...
}

public class User implements Openuser {
...
}

Because of the different ways in which each developer is managed by Accesstoken, it needs to be implemented by itself. The Oauth2manager interface is defined as follows:

Public interface Oauth2manager {/** * Add auth code * * @param authcode * Code value

    * @param authuser * user */void Addauthcode (String authcode, Openuser authuser);            /** * Add access token * * @param accesstoken * Token value * @param authuser * User * @param expiresin, sec/void Addaccesstoken (String accesstoken, Openuser authuser, Long Expiresin

    ); /** * Verify AUTH code is valid * * @param authcode * @return Invalid return false */Boolean Checkauthcode (Strin

    G Authcode); /** * Auth code to get user * * @param authcode * @return return user */Openuser getuserbyauthcode (Strin

    G Authcode);
    /** * Get username * * @param accesstoken * Token value * Based on access token * @return return user */

    Openuser Getuserbyaccesstoken (String accesstoken); /** * Get auth code/access token expiry time * *@return */Long Getexpirein (Apiconfig apiconfig); /** * User login, you need to determine whether you have logged in * @param request * @return Return User Object */Openuser login (HttpServletRequest reques
T) throws loginerrorexception; }

Accesstoken Acquisition ProcessThe first step is to get the code

1, first through such as http://localhost:8080/api/authorize?client_id=test&response_type=code&redirect_uri=http%3A%2F% 2flocalhost%3a8080%2foauth2callback Access Authorization page,
2, the controller first check whether the ClientID is correct, if the error will return the corresponding error message,
3, and then determine whether the user is logged in, If you do not log in first to the login page login,
4, the successful login to generate the corresponding code is the authorization code, and then redirect to the client address, such as http://localhost:8080/oauth2callback?code= 6D250650831FEA227749F49A5B49CCAD, the code parameter (authorization code) is taken in the redirected address, and the client can exchange Accesstoken for the authorization code.

The second step is to exchange code for Accesstoken.

1, first through such as Http://localhost:8080/api/accessToken,POST submit the following data access:

        Code:6d250650831fea227749f49a5b49ccad
        Client_id:test
        client_secret:123456
        grant_type:authorization_code
        redirect_uri:http://localhost : 8080/api/authorize

2, the server will verify the correctness of client_id, Client_secret, code, if the error will return the corresponding error;
3, If validation is done, the corresponding access token Accesstoken is generated and returned.

{
  "Access_token": "01e111c0d3c8e415fea038d5c64432ef",
  "Refresh_token": " D1165b75d386b3ef1bd0423b4e3bfef9 ",
  " Token_type ":" Bearer ",
  " expires_in ": 7200,
  " username ":" admin "
}

The above two steps need to be implemented on the client. Example Project Easyopen-server has an example that you can refer to, start the service, and then access the Http://localhost:8080/go_oauth2

Get Accesstoken Users:

Get Accesstoken users
openuser user = Apicontext.getaccesstokenuser ();

Refresh Accesstoken with Refreshtoken

Accesstoken has an expiration time, in order to prevent the expiration can be refreshtoken to exchange for new Accesstoken, convenient subsequent interface calls.

1. First submit the following data access through such as Http://localhost:8080/api/accessToken,POST:
        refresh_token: Your refreshtoken
        client_id:test
        client_secret:123456
        Grant_type:refresh_token
2. The server verifies the correctness of client_id, Client_secret, Refresh_token, If the error returns a corresponding error,
3. If the validation is done by generating and returning the new access token Accesstoken and the new Refreshtoken

return result:
{
  "Access_token": " 01e111c0d3c8e415fea038d5c64432ef ",
  " Refresh_token ":" D1165b75d386b3ef1bd0423b4e3bfef9 ",
  " Token_type ":" Bearer ",
  " expires_in ": 7200,
  " username ":" admin "
}

After the successful exchange of new Accesstoken and Refreshtoken, old Accesstoken and Refreshtoken cannot be used. using JWT

A description of JWT is here: what is Jwt–json WEB TOKEN.

Before our web app used session to maintain the relationship between the user and the server, the principle was to use a cookie character corresponding to a map in the server, map

map<string, string> data = new hashmap<> ();
Data.put ("id", User.getid (). toString ());
Data.put ("username", user.getusername ());

String JWT = APICONTEXT.CREATEJWT (data);

This code is used when the user logs in, and then returns the JWT to the client, allowing the client to save, as H5 can exist in Localstorage.

The client passes the JWT method:

Method.setrequestheader ("Authorization", "Bearer" + JWT);

That is, add a authorization to the header, the content is "Bearer" + JWT

After the client requests, the server gets the data from the JWT:

Get JWT data
map<string, claim> jwtdata = Apicontext.getjwtdata ();