概述
大家都知道在 oauth2 认证体系中有四种授权模式:
- 授权码模式(authorization code)
- 简化模式(implicit)
- 客户端模式(client credentials)
- 密码模式(password)
那么如何新增一个自定义的授权模式,比如像下面这样根据手机号和短信验证码进行登录呢?
要自定义授权模式我们得先了解下 oauth2.0 的整体认证过程,认证入口在 org.springframework.security.oauth2.provider.endpoint.TokenEndpoint#postAccessToken 方法中
@RequestMapping(
value = {"/oauth/token"},
method = {RequestMethod.POST}
)
public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
...
}
通过阅读源码可以梳理出核心认证逻辑代码的执行顺序(password 模式):
核心源码解读
TokenEndpoint#postAccessToken(...)主入口
OAuth2AccessToken token =
getTokenGranter().grant(tokenRequest.getGrantType(),
tokenRequest);
CompositeTokenGranter#grant(String grantType,TokenRequest tokenRequest )负责从所有的 TokenGranter 中根据授权类型找到具体的 TokenGranter
public class CompositeTokenGranter implements TokenGranter {
private final List<TokenGranter> tokenGranters;
...
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
for (TokenGranter granter : tokenGranters) {
OAuth2AccessToken grant = granter.grant(grantType, tokenRequest);
if (grant!=null) {
return grant;
}
}
return null;
}
...
}
那么这里的 tokenGranters 又是从哪来的呢?答案是 oauth2 认证服务器端点配置类 AuthorizationServerEndpointsConfigurer
public final class AuthorizationServerEndpointsConfigurer {
...
private TokenGranter tokenGranter;
public TokenGranter getTokenGranter() {
return tokenGranter();
}
//默认的四种授权模式+Refresh令牌模式
private List<TokenGranter> getDefaultTokenGranters() {
ClientDetailsService clientDetails = clientDetailsService();
AuthorizationServerTokenServices tokenServices = tokenServices();
AuthorizationCodeServices authorizationCodeServices = authorizationCodeServices();
OAuth2RequestFactory requestFactory = requestFactory();
List<TokenGranter> tokenGranters = new ArrayList<TokenGranter>();
tokenGranters.add(new AuthorizationCodeTokenGranter(tokenServices, authorizationCodeServices, clientDetails,
requestFactory));
tokenGranters.add(new RefreshTokenGranter(tokenServices, clientDetails, requestFactory));
ImplicitTokenGranter implicit = new ImplicitTokenGranter(tokenServices, clientDetails, requestFactory);
tokenGranters.add(implicit);
tokenGranters.add(new ClientCredentialsTokenGranter(tokenServices, clientDetails, requestFactory));
if (authenticationManager != null) {
tokenGranters.add(new ResourceOwnerPasswordTokenGranter(authenticationManager, tokenServices,
clientDetails, requestFactory));
}
return tokenGranters;
}
private TokenGranter tokenGranter() {
if (tokenGranter == null) {
tokenGranter = new TokenGranter() {
private CompositeTokenGranter delegate;
@Override
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
if (delegate == null) {
delegate = new CompositeTokenGranter(getDefaultTokenGranters());
}
return delegate.grant(grantType, tokenRequest);
}
};
}
return tokenGranter;
}
...
}
可以看到 Spring 已经把把默认的四种授权模式 + 刷新令牌的模式的配置在代码中写死了,那么如何让 Spring 能识别我们自定义的授权模式呢?
我们可以通过配置类覆盖 TokenGranter,在里面注入我们自定义的授权模式!
ProviderManager#authenticate(Authentication authentication)
这个类是提供了认证的实现逻辑和流程,他负责从所有的 AuthenticationProvider 中找出具体的 Provider 进行认证
public class ProviderManager implements AuthenticationManager, MessageSourceAware,
InitializingBean {
...
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
AuthenticationException parentException = null;
Authentication result = null;
Authentication parentResult = null;
boolean debug = logger.isDebugEnabled();
//遍历所有的providers使用supports方法判断该provider是否支持当前的认证类型
for (AuthenticationProvider provider : getProviders()) {
if (!provider.supports(toTest)) {
continue;
}
try {
//找到具体的provider进行认证
result = provider.authenticate(authentication);
if (result != null) {
copyDetails(authentication, result);
break;
}
}
catch (AccountStatusException | InternalAuthenticationServiceException e) {
prepareException(e, authentication);
throw e;
} catch (AuthenticationException e) {
lastException = e;
}
}
throw lastException;
}
...
}
代码实现(核心代码)
使用手机号登录时先在表单中输入正确的手机号码,请求后端获取验证码。(此时后台服务一般会将手机号码和验证码进行关联,并设置一个较短时间的有效期)
手机获取到验证码后将其输入到表单中即可登录,后端框架将手机号与用户进行关联认证。
短信验证需要两个基础表单数据:手机号码,短信验证码。
本文并没有实现表单登录方式,是使用 postman 的方式进行认证。使用上图只是让大家对短信认证过程有个印象。
SmsCodeAuthenticationToken
/**
* <p>
* <code>SmsAuthenticationToken</code>
* </p>
* Description:
* 实现手机号登录,参考org.springframework.security.authentication.UsernamePasswordAuthenticationToken
* @author javadaily
* @date 2020/7/13 8:44
*/
public class SmsCodeAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = 520L;
/**
* 账号主体信息,手机号验证码登录体系中代表 手机号码
*/
private final Object principal;
/**
* 构建未授权的 SmsCodeAuthenticationToken
* @param mobile 手机号码
*/
public SmsCodeAuthenticationToken(String mobile) {
super(null);
this.principal = mobile;
setAuthenticated(false);
}
/**
* 构建已经授权的 SmsCodeAuthenticationToken
*/
public SmsCodeAuthenticationToken(Object principal, Collection<? extends GrantedAuthority> authorities){
super(authorities);
this.principal = principal;
super.setAuthenticated(true);
}
@Override
public Object getCredentials() {
return null;
}
@Override
public Object getPrincipal() {
return this.principal;
}
@Override
public void setAuthenticated(boolean isAuthenticated) {
if(isAuthenticated){
throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}else{
super.setAuthenticated(false);
}
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
}
}
SmsCodeAuthenticationProvider
/**
* Description:
* 短信登陆鉴权 Provider,要求实现 AuthenticationProvider 接口
* @author javadaily
* @date 2020/7/13 13:07
*/
@Log4j2
public class SmsCodeAuthenticationProvider implements AuthenticationProvider{
private IUserService userService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
SmsCodeAuthenticationToken smsCodeAuthenticationToken = (SmsCodeAuthenticationToken) authentication;
userService = SpringContextHolder.getBean(IUserService.class);
String mobile = (String) smsCodeAuthenticationToken.getPrincipal();
//校验手机号验证码
checkSmsCode(mobile);
User user = userService.getUserByMobile(mobile);
if(null == user){
throw new BadCredentialsException("Invalid mobile!");
}
//授权通过
UserDetails userDetails = buildUserDetails(user);
return new SmsCodeAuthenticationToken(userDetails, userDetails.getAuthorities());
}
/**
* 构建用户认证信息
* @param user 用户对象
* @return UserDetails
*/
private UserDetails buildUserDetails(User user) {
return new org.springframework.security.core.userdetails.User(
user.getUsername(),
user.getPassword(),
AuthorityUtils.createAuthorityList("ADMIN")) ;
}
/**
* 校验手机号与验证码的绑定关系是否正确
* todo 需要根据业务逻辑自行处理
* @author javadaily
* @date 2020/7/23 17:31
* @param mobile 手机号码
*/
private void checkSmsCode(String mobile) {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
//获取验证码
String smsCode = request.getParameter("smsCode");
if(StringUtils.isEmpty(smsCode) || !"666666".equals(smsCode)){
throw new BadCredentialsException("Incorrect sms code,please check !");
}
//todo 手机号与验证码是否匹配
}
/**
* ProviderManager 选择具体Provider时根据此方法判断
* 判断 authentication 是不是 SmsCodeAuthenticationToken 的子类或子接口
*/
@Override
public boolean supports(Class<?> authentication) {
return SmsCodeAuthenticationToken.class.isAssignableFrom(authentication);
}
}
短信验证码模式认证实现类,需要实现 AuthenticationProvider,通过 supports 方法会被 ProviderManager 选中成为具体的认证实现类。
手机号码与短信的关联关系需要根据自己业务场景实现,这里直接先写死。
配置类 SmsCodeSecurityConfig
@Component
public class SmsCodeSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
/**
* 短信验证码配置器
* 所有的配置都可以移步到WebSecurityConfig
* builder.authenticationProvider() 相当于 auth.authenticationProvider();
* 使用外部配置必须要在WebSecurityConfig中用http.apply(smsCodeSecurityConfig)将配置注入进去
* @param builder
* @throws Exception
*/
@Override
public void configure(HttpSecurity builder) throws Exception {
//注入SmsCodeAuthenticationProvider
SmsCodeAuthenticationProvider smsCodeAuthenticationProvider = new SmsCodeAuthenticationProvider();
builder.authenticationProvider(smsCodeAuthenticationProvider);
}
}
此类主要实现 SmsCodeAuthenticationProvider 的注入,否则 ProviderManager 无法选到 SmsCodeAuthenticationProvider。
SmsCodeTokenGranter
/**
* 扩展认证模式
* @author javadaily
* @date 2020/7/14 8:31
*/
public class SmsCodeTokenGranter extends AbstractTokenGranter{
private static final String GRANT_TYPE = "sms_code";
private final AuthenticationManager authenticationManager;
public SmsCodeTokenGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory) {
this(authenticationManager, tokenServices, clientDetailsService, requestFactory, GRANT_TYPE);
}
protected SmsCodeTokenGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory, String grantType) {
super(tokenServices, clientDetailsService, requestFactory, grantType);
this.authenticationManager = authenticationManager;
}
@Override
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
Map<String, String> parameters = new LinkedHashMap(tokenRequest.getRequestParameters());
String mobile = parameters.get("mobile");
Authentication userAuth = new SmsCodeAuthenticationToken(mobile);
((AbstractAuthenticationToken)userAuth).setDetails(parameters);
try {
userAuth = this.authenticationManager.authenticate(userAuth);
} catch (AccountStatusException ex) {
throw new InvalidGrantException(ex.getMessage());
} catch (BadCredentialsException ex) {
throw new InvalidGrantException(ex.getMessage());
}
if (userAuth != null && userAuth.isAuthenticated()) {
OAuth2Request storedOAuth2Request = this.getRequestFactory().createOAuth2Request(client, tokenRequest);
return new OAuth2Authentication(storedOAuth2Request, userAuth);
} else {
throw new InvalidGrantException("Could not authenticate mobile: " + mobile);
}
}
}
继承 AbstractTokenGranter 扩展认证模式 sms_code,需要将其添加到 Spring 中并通过 grantType 被选中。
配置类 TokenGranterConfig
通过前面几步自定义认证的基础逻辑都已实现,接下来需要将我们的短信认证模式添加到 Spring 中,主要参考 org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer#getDefaultTokenGranters() 实现。
/**
*参考实现:org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer#getDefaultTokenGranters()
* @author javadaily
* @date 2020/7/14 8:38
*/
@Configuration
public class TokenGranterConfig {
@Autowired
private ClientDetailsService clientDetailsService;
private TokenGranter tokenGranter;
@Autowired
private TokenStore tokenStore;
@Autowired
TokenEnhancer tokenEnhancer;
@Autowired
private AuthenticationManager authenticationManager;
private AuthorizationServerTokenServices tokenServices;
private boolean reuseRefreshToken = true;
private AuthorizationCodeServices authorizationCodeServices;
@Autowired
private UserDetailsService userDetailsService;
@Bean
public TokenGranter tokenGranter(){
if(null == tokenGranter){
tokenGranter = new TokenGranter() {
private CompositeTokenGranter delegate;
@Override
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
if(delegate == null){
delegate = new CompositeTokenGranter(getDefaultTokenGranters());
}
return delegate.grant(grantType,tokenRequest);
}
};
}
return tokenGranter;
}
private List<TokenGranter> getDefaultTokenGranters() {
AuthorizationServerTokenServices tokenServices = tokenServices();
AuthorizationCodeServices authorizationCodeServices = authorizationCodeServices();
OAuth2RequestFactory requestFactory = requestFactory();
List<TokenGranter> tokenGranters = new ArrayList();
//授权码模式
tokenGranters.add(new AuthorizationCodeTokenGranter(tokenServices, authorizationCodeServices, clientDetailsService, requestFactory));
//refresh模式
tokenGranters.add(new RefreshTokenGranter(tokenServices, clientDetailsService, requestFactory));
//简化模式
ImplicitTokenGranter implicit = new ImplicitTokenGranter(tokenServices, clientDetailsService, requestFactory);
tokenGranters.add(implicit);
//客户端模式
tokenGranters.add(new ClientCredentialsTokenGranter(tokenServices, clientDetailsService, requestFactory));
if (authenticationManager != null) {
//密码模式
tokenGranters.add(new ResourceOwnerPasswordTokenGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
//短信验证码模式
tokenGranters.add(new SmsCodeTokenGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
}
return tokenGranters;
}
private AuthorizationServerTokenServices tokenServices() {
if (tokenServices != null) {
return tokenServices;
}
this.tokenServices = createDefaultTokenServices();
return tokenServices;
}
private AuthorizationServerTokenServices createDefaultTokenServices() {
DefaultTokenServices tokenServices = new DefaultTokenServices();
tokenServices.setTokenStore(tokenStore);
tokenServices.setSupportRefreshToken(true);
tokenServices.setReuseRefreshToken(reuseRefreshToken);
tokenServices.setClientDetailsService(clientDetailsService);
tokenServices.setTokenEnhancer(tokenEnhancer);
addUserDetailsService(tokenServices, this.userDetailsService);
return tokenServices;
}
/**
* 添加预身份验证
* @param tokenServices
* @param userDetailsService
*/
private void addUserDetailsService(DefaultTokenServices tokenServices, UserDetailsService userDetailsService) {
if (userDetailsService != null) {
PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
provider.setPreAuthenticatedUserDetailsService(new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(userDetailsService));
tokenServices.setAuthenticationManager(new ProviderManager(Arrays.<AuthenticationProvider>asList(provider)));
}
}
/**
* OAuth2RequestFactory的默认实现,它初始化参数映射中的字段,
* 验证授权类型(grant_type)和范围(scope),并使用客户端的默认值填充范围(scope)(如果缺少这些值)。
*/
private OAuth2RequestFactory requestFactory() {
return new DefaultOAuth2RequestFactory(clientDetailsService);
}
/**
* 授权码API
* @return
*/
private AuthorizationCodeServices authorizationCodeServices() {
if (this.authorizationCodeServices == null) {
this.authorizationCodeServices = new InMemoryAuthorizationCodeServices();
}
return this.authorizationCodeServices;
}
}
修改认证服务器配置 AuthorizationServerConfig
在上面的 TokenGranterConfig 中已经创建了 AuthorizationServerTokenServices,所以我们可以将 AuthorizationServerConfig 中的 tokenServices 功能删除,然后在方法 configure(AuthorizationServerEndpointsConfigurer endpoints) 中注入 tokenGranter 即可
@Configuration
@EnableAuthorizationServer
@RequiredArgsConstructor(onConstructor = @__(@Autowired))
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private TokenGranter tokenGranter;
...
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.tokenGranter(tokenGranter);
}
...
}
测试
-
正常测试
通过 debug 模式可以看到 SmsCodeTokenGranter 已经被加入 Spring,并能正常返回 jwt token 了。
-
输入错误的手机号码进行认证
-
输入错误的短信验证码进行认证
本篇文章是 SpringCloud alibaba 实战系列文章的第 20 篇,如果大家对之前的文章感兴趣可以移步 http://javadaily.cn/tags/SpringCloud 查看
欢迎来到这里!
我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。
注册 关于