Spring Cloud Cloud architecture-SSO Single Sign-on OAuth2.0 login authentication (1)

Today we take notes on the integration of OAuth2.0, first I find some basic knowledge about OAuth2.0 from the Internet, to help you review the knowledge Points:

First, the role of OAuth

Client: Invoking the application of the resource Server API

Oauth 2.0 Provider: Includes authorization server and resource server

(1) Authorization Server: Authentication server, authentication and authorization

(2) Resource Server: Resource server, protecting protected resources
User: The owner of the resource

Second, the following details about the OAuth 2.0 Provider Authorization Server:

(1)AuthorizationEndpoint:进行授权的服务，Default URL: /oauth/authorize

(2) Tokenendpoint: Get token Service, Default URL: /oauth/token

Resource Server:

Oauth2authenticationprocessingfilter: Load authentication for requests with an access token

Third, the following to detailed introduction of authorization Server:

In general, create two configuration classes, one to inherit the Authorizationserverconfigureradapter, one to inherit the Websecurityconfigureradapter, and then to replicate the inside of the method.

There are two main types of annotations:

1, @EnableAuthorizationServer: Declare an authentication server, when using this annotation, after the application starts will automatically generate a few endpoint: (Note: In fact, the implementation of an authentication server is so simple, add an annotation to take care of, Of course, the actual use of the production environment is to do some configuration and replication work. ）

/oauth/authorize: Verify

/oauth/token: Get token

/oauth/confirm_access: User Authorization

/oauth/error: Authentication failed

/oauth/check_token: The resource server is used to verify tokens

/oauth/token_key: If JWT mode can use this to get the public key from the authentication server

These endpoint are in the source of the endpoint package inside.

2, @Beans: Need to implement Authorizationserverconfigurer

The authorizationserverconfigurer consists of three configurations:

Clientdetailsserviceconfigurer:client client information is configured, including: ClientId, Secret, scope, Authorizedgranttypes, Authorities

(1) Scope: Indicates the scope of the permission, optional, when the user authorizes the page to choose

(2) Authorizedgranttypes: There are four ways of authorizing

• Authorization Code: Use authentication to get code, and then code to get tokens (most of the way, is the safest way)
• Implicit: Implicit authorization mode
• Client Credentials (use to get APP access Token)
• Resource Owner Password Credentials

(3) Authorities: Grant the client permission

There are many concrete implementations here, In-memory, Jdbcclientdetailsservice, JWT and so on.

Authorizationserversecurityconfigurer: Declares security constraints, which allow access, which does not allow access

Authorizationserverendpointsconfigurer: To declare the endpoint of authorization and token and some configuration information of token's service, such as what storage method is used, token expiration date, etc.

Client information reading: In the Clientdetailsserviceconfigurer class inside the configuration, you can have in-memory, JDBC and other reading methods.

JDBC needs to call the Jdbcclientdetailsservice class, and this class needs to pass in the appropriate datasource.

Here's a look at how to manage tokens:

AuthorizationServerTokenServices接口:声明必要的关于token的操作

(1) When token is created, it is saved so that subsequent resources that accept the access token can reference it.

(2) The access token is used to load the authentication

There are many implementations of interfaces,DefaultTokenServices是其默认实现，他使用了默认的InMemoryTokenStore，不会持久化token；

Tokens are stored in a total of three different ways:

(1) Inmemorytokenstore: stored in memory, not persisted

(2) Jdbctokenstore: Storing the database

(3) Jwt:json Web token

Authorization type:

Can be configured via Authorizationserverendpointsconfigurer, which, by default, supports all authorization types except passwords. Some classes of related authorization types:

(1) AuthenticationManager: Direct injection of a authenticationmanager, automatically open the password authorization type

(2) Userdetailsservice: If the userdetailsservice is injected, the Refresh token authorization type will be initiated to determine if the user is still alive

(3) Authorizationcodeservices:authorizationcodeservices instance, Auth code authorization type Service

(4) Implicitgrantservice:imlpicit Grant

(5) Tokengranter:

Configuration of the endpoint URL:

(1) Authorizationserverendpointsconfigurer pathmapping () method, with two parameters, the first is the default URL path, the second is a custom path

(2) Websecurityconfigurer instances, you can configure which paths do not need to be protected and which need to be protected. The default is all protected.

Custom UI:

(1) Sometimes, we may need to customize the login page and the Certification page. Landing page, just need to create a login to the prefix name of the page, in the code, set to allow access, so that the system will automatically execute your landing page. Please note that the action on this landing page must be a jump to the certified address.

(2) Another is the authorization page, which allows you to tick the Options page. This page can refer to the implementation of the source code, the generation of a controller's class, and then create a corresponding Web page to achieve the custom function.

Here's a look at authorization to get the token process:

(1) The port number for your own authentication server port number, client_id also replaced by your own, Response_type type code.

Localhost:8080/uaa/oauth/authorize?client_id=client&response_type=code&redirect_uri=http://www.baidu.com
(2) You will get a code value: Http://www.baidu.com/?code=G0C20Z

(3) Use this code value to obtain the final token:

Curl-x post-h "cant-type:application/x-www-form-urlencoded"-d ' grant_type=authorization_code&code=g0c20z& Redirect_uri=http://www.baidu.com ' "Http://client:[email protected]: 8080/uaa/oauth/token"

return value:

{"Access_token": "B251B453-CC08-4520-9DD0-9AEDF58E6CA3", "Token_type": "Bearer", "expires_in": 2591324, "Scope": "App "}

(4) Use this token value to invoke the resource server content (if the resource server and the authentication server in the same application, then the resource server will resolve the token value itself, if not, then you have to do the processing)

Curl-h "Authorization:bearer b251b453-cc08-4520-9dd0-9aedf58e6ca3" "Localhost:8081/service2 (Put your own URL here)"

Iv. Resource Server: protecting resources, requiring tokens to access

Add annotation @enableresourceserver on the configuration class to start. To configure with Resourceserverconfigurer:

(1) example of Tokenservices:resourceservertokenservices, stating the service of token

(2) ResourceId: Resource ID, verified by auth server.

(3) Other extension points, such as tokenextractor that can extract tokens from a request

(4) A number of custom resource protection configurations, set by httpsecurity

There are two ways to use tokens:

(1) Bearer Token (HTTPS transmission mode to ensure the security of the transmission process): mainstream

(2) Mac (http+sign)

How do I access the APIs in the resource server?

If the resource server and the authorization server are in the same application, and you use defaulttokenservices, you do not have to think about this because it implements all the necessary interfaces, so it is automatically consistent. If your resource server is a separate application, you must ensure that you match the capabilities of the licensing server and provide the resourceservertokenservices that knows how to decode the token correctly. As with the licensing server, you can often use defaulttokenservices, and most of the options are represented by Tokenstore (back-end storage or local encoding).

(1) When validating tokens in the request, use Remotetokenservices to invoke the/auth/check_token in Authserver.

(2) share the database, use JDBC to store and verify tokens, and avoid accessing authserver.

(3) using the JWT signature method, the resource server checks itself directly, without any intermediary media.

Five, OAuth client

After the client obtains the token and wants to invoke the downstream service API, the Resttemplate can be used in order for token to be passed. Then use Resttemplate to invoke the API.

Note:

The difference between scopes and authorities:

Scopes is the client permission to grant at least one scope permission, otherwise error.

Authorities is a user right.

The above is a good blog I found from the Internet, hoping to help you quickly understand OAuth2.0, the next article we formally introduce the use of OAuth2.0 in the current framework.

From now on, I will be documenting the process and essence of the recent development of the spring cloud micro-service cloud architecture to help more friends who are interested in developing the Spring cloud framework to explore the process of building the spring cloud architecture and how to use it in enterprise projects. SOURCE Source

Spring Cloud Cloud architecture-SSO Single Sign-on OAuth2.0 login authentication (1)