Original address: http://my.oschina.net/sayi/blog/200278
Catalogue [-]
- OAuth Support
- Some background on access:
- Step1. Apply configurations to get client_id and Client_secret
- Step2. Oauth client constructs URL, gets Authorization_code
- Step3. Authorization Code Exchange Access_token
- Step4. Get user information based on Access_token
- Summarize
OAuth Support
cas3.5.x provides support for OAuth, including client and server side, Cas-server-support-oauth dependency rack Package
Scribe-1.3.5.jar
Scribe-up-1.2.0.jar
Jackson-core-2.3.0.jar,jackson-databind-2.3.0.jar.
CAS provides three services by default:
/oauth2.0/authorize
Input GET parameters required:client_id and Redirect_uri.
/oauth2.0/accesstoken
Input GET Parameters required:client_id, Redirect_uri, Client_secret and code.
/oauth2.0/profile
Input GET parameter Required:access_token.
Some background on access:
The 1.cas Web login access path is Https://cas.sayi.com:8443/cas/login
2. Callback address is http://www.doubannote.org/(virtual address, not actually present)
3.CLIENT_ID as key
4.client_secret to Secret
5. The application name is Doubannote
6. Core class is Org.jasig.cas.support.oauth.web.OAuth20WrapperController
The following configuration of CAS server support Oauth2 server, we from the OAUTH2 client to CAS access as a step to analyze the configuration of each step:
Step1. Apply configurations to get client_id and Client_secret
In a mature system, where a page is typically provided for the user to apply for, then the user client_id and Client_secret are provided, and the user is allowed to configure the callback address, then the Oauthserver side (that is, CAS Server) first considers the need to persist these configurations. The app service is configured by default in the Serviceregistrydao of the file Deployerconfigcontext.xml, and we can store the application information in the database in real-life:
?
12345678910111213141516171819 |
<bean
id=
"serviceRegistryDao"
class
=
"org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"
>
<property name=
"registeredServices"
>
<list>
<bean
class
=
"org.jasig.cas.services.RegisteredServiceImpl"
>
<property name=
"id" value=
"1" />
<property name=
"name" value=
"HTTP" />
<property name=
"description" value=
"oauth wrapper callback url" />
<property name=
"serviceId" value=
"${server.prefix}/oauth2.0/callbackAuthorize" />
</bean>
<bean
class
=
"org.jasig.cas.services.RegisteredServiceImpl"
>
<property name=
"id" value=
"2" />
<property name=
"name" value=
"key" />
<property name=
"description" value=
"secret" />
<property name=
"serviceId" value=
"http://www.doubannote.org/" />
<property name=
"theme" value=
"DoubanNote" />
</bean>
......
|
As shown in the code, we have registered two new beans, the configuration of the application in the second bean, name client_id,description to Client_secret,serviceid as the callback address, and theme as the app name.
The purpose of the first bean is described below. "Finally figured out why this is so, the server indirectly get ST"
Step2. Oauth client constructs URL, gets Authorization_code
Typically the client constructs the URL as follows (parameters can refer to standard OAUTH2 protocol, but different OAuth servers usually provide their own standards):
?
1 |
https: //cas.sayi.com:8443/cas/oauth2.0/authorize?client_id=key&redirect_uri=http://www.doubannote.org/&response_type=code |
In this case, the CAS server is required to process the/oauth2.0/authorize URL, then you need to configure the mapping, which is configured in Web. Xml as follows:
?
1234 |
<servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/oauth2. 0 /*</url-pattern> </servlet-mapping> |
To configure mappings in Cas-servlet.xml:
?
1234567 |
<prop key=
"/oauth2.0/*"
>oauth20WrapperController</prop>
...
...
<bean id=
"oauth20WrapperController"
class
=
"org.jasig.cas.support.oauth.web.OAuth20WrapperController"
p:loginUrl=
"${server.prefix}/login" p:servicesManager-ref=
"servicesManager"
p:ticketRegistry-ref=
"ticketRegistry" p:timeout=
"7200" />
|
Once configured, the link to our authorization code is shifted to the login page, where the service address is the Serviceid of the first bean configured in Step1, which is obtained indirectly through this default provided address.
?
1 |
https: //cas.sayi.com:8443/cas/login?service=https%3A%2F%2Fcas.sayi.com%3A8443%2Fcas%2Foauth2.0%2FcallbackAuthorize |
After successful authentication, will carry the value of St's parameters to jump to the Callbackauthorize page, the resulting ST is the authorization Code, callback address, service name passed through the session.
?
1 |
https: //cas.sayi.com:8443/cas/oauth2.0/callbackAuthorize?ticket=ST-5-ywMLFaXQFnDeFI7erFy7-cas.sayi.com |
The default authorization code can only be used once, and the validity time is 10s, can be configured by the ticket expiration policy time.
Step3. Authorization Code Exchange Access_token
The URL is constructed as follows:
?
123 |
https: //cas.sayi.com:8443/cas/oauth2.0/accessToken?client_id=key&client_secret=secret&grant_type=authorization_code&redirect_uri=http://www.doubannote.org/&code=ST-1-3jLuZnhcAvLiLdy7R6ft-cas.sayi.com access_token=TGT- 2 -qWkLyEbeoby043q05p5GHXfBg7qtdPZjEUhfemgg3UKbxAyB5s-cas.sayi.com&expires= 7143 |
Access_token can be obtained by returning the value.
Step4. Get user information based on Access_token
Construct the URL as follows:
?
12345678910111213141516 |
https:
//cas.sayi.com:8443/cas/oauth2.0/profile?access_token=TGT-1-gn3p9EMfFEajKOJ9DdNqd2PefJdIbIeXuESyzU4EctMtBqITRG-cas.sayi.com
{
"id"
:
"sayi"
,
"attributes"
:[
{
"uid"
:
"uid"
},
{
"eduPersonAffiliation"
:
"eduPersonAffiliation"
},
{
"groupMembership"
:
"groupMembership"
}
]
}
|
Summarize
CAS server support Oauth2 server, is simply to consider the/authorize,/accesstoken,/profile request processing, after the server application configuration, the application of access to check, such as callback address, Client_ Secret and so on. In the fusion with CAS server, it is mainly the fusion of CAS authentication and/authorize. Here is the Callbackauthorize way, CAS default provides the service address of/oauth2.0/callbackauthorize, through this address CAS authentication after the successful generation of St, this value is the authorization code, The callback address that is passed to the app.
Overall oauth2 support in the cas3.5.x is not perfect, and OAuth2 implementation is not standard, for the 3.5.x version we need to expand Oauth20wrappercontroller to further integrate OAUTH2 protocol.
cas3.5.x (x>1) supports OAUTH2 server