Spring Security OAuth 個性化token

個性化Token 目的

• 默認經過調用 /oauth/token 返回的報文格式包含如下參數

{
    "access_token": "e6669cdf-b6cd-43fe-af5c-f91a65041382",
    "token_type": "bearer",
    "refresh_token": "da91294d-446c-4a89-bdcf-88aee15a75e8",
    "expires_in": 43199, 
    "scope": "server"
}

並沒包含用戶的業務信息好比用戶信息、租戶信息等。

• 擴展生成包含業務信息（以下）,避免系統屢次調用，直接能夠經過認證接口獲取到用戶信息等，大大提升系統性能

{
    "access_token":"a6f3b6d6-93e6-4eb8-a97d-3ae72240a7b0",
    "token_type":"bearer",
    "refresh_token":"710ab162-a482-41cd-8bad-26456af38e4f",
    "expires_in":42396,
    "scope":"server",
    "tenant_id":1,
    "license":"made by pigx",
    "dept_id":1,
    "user_id":1,
    "username":"admin"
}

密碼模式生成Token 源碼解析

​ 主頁參考紅框部分

• ResourceOwnerPasswordTokenGranter （密碼模式）根據用戶的請求信息，進行認證獲得當前用戶上下文信息

  protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
      Map<String, String> parameters = new LinkedHashMap<String, String>(tokenRequest.getRequestParameters());
  	String username = parameters.get("username");
  	String password = parameters.get("password");
  	// Protect from downstream leaks of password
  	parameters.remove("password");
      Authentication userAuth = new UsernamePasswordAuthenticationToken(username, password);
     ((AbstractAuthenticationToken) userAuth).setDetails(parameters);
  
      userAuth = authenticationManager.authenticate(userAuth);
  
      OAuth2Request storedOAuth2Request =  getRequestFactory().createOAuth2Request(client, tokenRequest);		
  		return new OAuth2Authentication(storedOAuth2Request, userAuth);
  }

• 而後調用AbstractTokenGranter.getAccessToken() 獲取OAuth2AccessToken

  protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) {
     return tokenServices.createAccessToken(getOAuth2Authentication(client, tokenRequest));
  }

• 默認使用DefaultTokenServices來獲取token

  public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
  
  	... 一系列判斷 ，合法性、是否過時等判斷	
  	OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
  		tokenStore.storeAccessToken(accessToken, authentication);
  		// In case it was modified
  		refreshToken = accessToken.getRefreshToken();
  		if (refreshToken != null) {
  			tokenStore.storeRefreshToken(refreshToken, authentication);
  		}
  		return accessToken;
  }

• createAccessToken 核心邏輯

  // 默認刷新token 的有效期
  private int refreshTokenValiditySeconds = 60 * 60 * 24 * 30; // default 30 days.
  // 默認token 的有效期
  private int accessTokenValiditySeconds = 60 * 60 * 12; // default 12 hours.
  
  private OAuth2AccessToken createAccessToken(OAuth2Authentication authentication, OAuth2RefreshToken refreshToken) {
      DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(uuid);
      token.setExpiration(Date)
      token.setRefreshToken(refreshToken);
      token.setScope(authentication.getOAuth2Request().getScope());
      return accessTokenEnhancer != null ? accessTokenEnhancer.enhance(token, authentication) : token;
  }

  如上代碼，在拼裝好token對象後會調用認證服務器配置TokenEnhancer( 加強器) 來對默認的token進行加強。

• TokenEnhancer.enhance 經過上下文中的用戶信息來個性化Token

  public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
      final Map<String, Object> additionalInfo = new HashMap<>(8);
      PigxUser pigxUser = (PigxUser) authentication.getUserAuthentication().getPrincipal();
      additionalInfo.put("user_id", pigxUser.getId());
      additionalInfo.put("username", pigxUser.getUsername());
      additionalInfo.put("dept_id", pigxUser.getDeptId());
      additionalInfo.put("tenant_id", pigxUser.getTenantId());
      additionalInfo.put("license", SecurityConstants.PIGX_LICENSE);
      ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
      return accessToken;
  }

基於pig 看下最終的實現效果

Pig 基於Spring Cloud、oAuth2.0開發基於Vue先後分離的開發平臺，支持帳號、短信、SSO等多種登陸，提供配套視頻開發教程。
https://gitee.com/log4j/pig