OAuth2生成token代码备忘实现过程示例
作者:AC编程
这篇文章主要为大家介绍了OAuth2生成token代码备忘实现过程示例详解,有需要的朋友可以借鉴参考下,希望能够有所帮助,祝大家多多进步,早日升职加薪
一、登录接口(用户名+密码)
1、前端请求auth服务
http://127.0.0.1:72/oauth/pwdLogin
2、请求数据
{
"mobile": "134178101xx",
"password": "123456"
}3、Controller方法
@SneakyThrows
@PostMapping("pwdLogin")
@SignMemberLoginLog(value = "APP_PWD", desc = "密码登录")
@ApiOperation(value = "会员登录(密码登录)")
public Result<Oauth2TokenDto> pwdLogin(@RequestBody MemberLoginPwdVO vo, HttpServletRequest request) {
if (StringUtil.isEmpty(vo.getClientId())) {
vo.setClientId("app");
}
vo.setIp(IpUtils.ip(request));
Map<String, String> params = getMemberBaseParam(vo, SecurityLoginTypeEnum.APP_PWD.getCode());
params.put("mobile", vo.getMobile());
params.put("password", vo.getPassword());
List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
Oauth2TokenDto oauth2TokenDto = authTokenComponent.getAccessToken(vo.getClientId(), "app", grantedAuthorities, params);
return Result.success(oauth2TokenDto);
}
private Map<String, String> getMemberBaseParam(MemberLoginBaseVO vo, String grantType) {
Map<String, String> params = new HashMap<>();
params.put("client_id", vo.getClientId());
params.put("client_secret", "app");
params.put("grant_type", grantType);
params.put("scope", "all");
params.put("platform", vo.getPlatform());
//附加信息
params.put("version", vo.getVersion());
params.put("device", vo.getDevice());
params.put("iemi", vo.getIemi());
params.put("location", vo.getLocation());
params.put("ip", vo.getIp());
params.put("recommendCode", vo.getRecommendCode());
return params;
}二、授权接口调用逻辑
2.1 AuthTokenComponent类
import org.springframework.security.oauth2.provider.endpoint.TokenEndpoint;
@Component
public class AuthTokenComponent {
@Autowired
private TokenEndpoint tokenEndpoint;
public Oauth2TokenDto getAccessToken(String clientId, String clientSecurity , List<GrantedAuthority> grantedAuthorities, Map<String, String> params) throws HttpRequestMethodNotSupportedException {
User principle = new User(clientId,clientSecurity,true,true,true,true,grantedAuthorities);
return getAccessToken(principle,params);
}
public Oauth2TokenDto getAccessToken(User principle, Map<String, String> params) throws HttpRequestMethodNotSupportedException {
UsernamePasswordAuthenticationToken principal = new UsernamePasswordAuthenticationToken(principle,null,principle.getAuthorities());
OAuth2AccessToken oAuth2AccessToken = tokenEndpoint.postAccessToken(principal, params).getBody();
Oauth2TokenDto oauth2TokenDto = Oauth2TokenDto.builder()
.token(oAuth2AccessToken.getValue())
.refreshToken(oAuth2AccessToken.getRefreshToken().getValue())
.expiresIn(oAuth2AccessToken.getExpiresIn())
.tokenHead("Bearer ").build();
return oauth2TokenDto;
}
}调用tokenEndpoint.postAccessToken生成token时,接口调用逻辑:
- 1、调用AuthenticationProvider接口(AdminAuthenticationProvider实现类)密码校验
- 2、调用
UserDetailsService接口(MyUserDetailsService实现类)获取用户信息 - 3、调用
DefaultTokenServices接口(CustomTokenServices实现类)生成token
2.2 AuthenticationProvider接口
1、MobilePasswordAuthenticationProvider实现类
@Setter
public class MobilePasswordAuthenticationProvider implements AuthenticationProvider {
private QmUserDetailsService userDetailsService;
private PasswordEncoder passwordEncoder;
@Override
public Authentication authenticate(Authentication authentication) {
MobilePasswordAuthenticationToken authenticationToken = (MobilePasswordAuthenticationToken) authentication;
String mobile = (String) authenticationToken.getPrincipal();
String password = (String) authenticationToken.getCredentials();
SecurityUser user = userDetailsService.loadUserByMobile(mobile);
if (user == null) {
throw new QiMiaoException(ResultCode.JWT_USER_INVALID);
}
if(userDetailsService.checkBlock(mobile)) {
throw new QiMiaoException(ResultCode.JWT_USER_BLOCK);
}
if (!passwordEncoder.matches(password, user.getPassword())) {
userDetailsService.inc(mobile);
throw new QiMiaoException(ResultCode.JWT_USER_INVALID_PWD);
}
Map<String, String> parameters = (Map<String, String>)authenticationToken.getDetails();
if(null != parameters.get("platform")) {
user.setPlatform(parameters.get("platform"));
}
MobilePasswordAuthenticationToken authenticationResult = new MobilePasswordAuthenticationToken(user, password, user.getAuthorities());
authenticationResult.setDetails(authenticationToken.getDetails());
return authenticationResult;
}
@Override
public boolean supports(Class<?> authentication) {
return MobilePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}
}2、MobileAuthenticationSecurityConfig配置类
@Component
public class MobileAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
@Autowired
private QmUserDetailsService userDetailsService;
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private SmsVcodeRdsHelper smsVcodeRdsHelper;
@Override
public void configure(HttpSecurity http) {
MobilePasswordAuthenticationProvider provider = new MobilePasswordAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(passwordEncoder);
http.authenticationProvider(provider);
MobileSmsAuthenticationProvider smsProvider = new MobileSmsAuthenticationProvider();
smsProvider.setUserDetailsService(userDetailsService);
smsProvider.setSmsVcodeRdsHelper(smsVcodeRdsHelper);
http.authenticationProvider(smsProvider);
MobileOneKeyAuthenticationProvider oneKeyProvider = new MobileOneKeyAuthenticationProvider();
oneKeyProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(oneKeyProvider);
VisitorAuthenticationProvider visitorAuthenticationProvider = new VisitorAuthenticationProvider();
visitorAuthenticationProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(visitorAuthenticationProvider);
QRCodeAuthenticationProvider qrCodeAuthenticationProvider = new QRCodeAuthenticationProvider();
qrCodeAuthenticationProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(qrCodeAuthenticationProvider);
SocialAuthenticationProvider socialAuthenticationProvider = new SocialAuthenticationProvider();
socialAuthenticationProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(socialAuthenticationProvider);
}
}3、WebSecurityConfig配置类
@Configuration
@EnableWebSecurity
@Import(DefaultPasswordConfig.class)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
//管理系统登录
@Autowired
private AdminAuthenticationSecurityConfig adminAuthenticationSecurityConfig;
//App登录
@Autowired
private MobileAuthenticationSecurityConfig mobileAuthenticationSecurityConfig;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.requestMatchers(EndpointRequest.toAnyEndpoint()).permitAll()
.antMatchers("/rsa/publicKey", "/actuator/**").permitAll()
.antMatchers("/").permitAll()
.antMatchers(HttpMethod.POST, "/oauth/**").permitAll()
// swagger
.antMatchers("/swagger-ui.html").permitAll()
.antMatchers("/swagger-resources/**").permitAll()
.antMatchers("/images/**").permitAll()
.antMatchers("/webjars/**").permitAll()
.antMatchers("/v2/api-docs").permitAll()
.antMatchers("/configuration/ui").permitAll()
.antMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.anyRequest()
//授权服务器关闭basic认证
.permitAll()
.and()
.logout()
.logoutUrl(SecurityConstants.LOGOUT_URL)
.logoutSuccessHandler(oauthLogoutSuccessHandler)
.addLogoutHandler(oauthLogoutHandler)
.clearAuthentication(true)
.and()
.apply(mobileAuthenticationSecurityConfig)
.and()
.apply(adminAuthenticationSecurityConfig)
.and()
.csrf().disable()
// 解决不允许显示在iframe的问题
.headers().frameOptions().disable().cacheControl();
// 基于密码 等模式可以无session,不支持授权码模式
if (authenticationEntryPoint != null) {
http.exceptionHandling().authenticationEntryPoint(authenticationEntryPoint);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
} else {
// 授权码模式单独处理,需要session的支持,此模式可以支持所有oauth2的认证
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
}
}
}2.3 MyUserDetailsService接口 & MyUserDetailServiceImpl类
public interface MyUserDetailsService extends UserDetailsService {
SecurityUser loadUserByMobile(String mobile);
SecurityUser loadUserById(Long id);
SecurityUser loadUserByOpenId(String openId, String platform);
SecurityUser loadUserByImei(String im);
SecurityUser loadAdminUser(String mobileOrUserName);
SecurityUser createUserByMobile(String mobile);
SecurityUser createUserByMobile(String globalCode, String mobile);
SecurityUser createVisitor(Map<String, String> map);
}@Slf4j
public class MyUserDetailServiceImpl implements MyUserDetailsService{
@Override
public SecurityUser loadAdminUser(String mobileOrUserName) {
SecurityUser securityUser = null;
Result<UserDTO> userDTOResult = userFeignService.selectByMobile(mobileOrUserName);
if (ResultCode.SUCCESS.getCode() == userDTOResult.getCode()) {
if (userDTOResult.getData() == null) {
throw new Exception(ResultCode.JWT_USER_INVALID);
}
UserDTO userDTO = userDTOResult.getData();
//是否被禁用
if (!userDTO.getStatus()) {
throw new Exception(ResultCode.JWT_USER_ENABLED);
}
securityUser = new SecurityUser();
securityUser.setUserType(SecurityUserTypeEnum.ADMIN);
securityUser.setGrantType(SecurityLoginTypeEnum.ADMIN_PWD);
securityUser.setId(userDTO.getId());
securityUser.setUsername(userDTO.getLoginName());
securityUser.setPassword(userDTO.getLoginPwd());
securityUser.setEnabled(true);
Collection<SimpleGrantedAuthority> authorities = new HashSet<>();
//基于权限控制
Result<List<PermDTO>> dtoResult = permFeignService.permListByUserId(userDTO.getId());
if (ResultCode.SUCCESS.getCode() == dtoResult.getCode()) {
if (dtoResult.getData() != null) {
for (PermDTO dto : dtoResult.getData()) {
authorities.add(new SimpleGrantedAuthority(dto.getPermApiHttpMethod() + dto.getPermValue()));
}
}
}
securityUser.setAuthorities(authorities);
}
return securityUser;
}
}2.4 CustomTokenServices类
@Slf4j
public class CustomTokenServices extends DefaultTokenServices {
private TokenStore tokenStore;
private TokenEnhancer accessTokenEnhancer;
//是否登录同应用同账号互踢
private boolean isSingleLogin;
public CustomTokenServices(boolean isSingleLogin) {
this.isSingleLogin = isSingleLogin;
}
@Override
@Transactional
public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
OAuth2AccessToken existingAccessToken = tokenStore.getAccessToken(authentication);
log.info("createAccessToken,start existingAccessToken={}",existingAccessToken);
OAuth2RefreshToken refreshToken = null;
if (existingAccessToken != null) {
if (isSingleLogin) {
if (existingAccessToken.getRefreshToken() != null) {
tokenStore.removeRefreshToken(existingAccessToken.getRefreshToken());
log.info("createAccessToken,removeRefreshToken A={}",existingAccessToken);
log.info("createAccessToken,getRefreshToken A1={}",existingAccessToken.getRefreshToken());
}
} else if (existingAccessToken.isExpired()) {
if (existingAccessToken.getRefreshToken() != null) {
refreshToken = existingAccessToken.getRefreshToken();
tokenStore.removeRefreshToken(refreshToken);
}
tokenStore.removeAccessToken(existingAccessToken);
log.info("createAccessToken,isExpired B={}",existingAccessToken);
} else {
// oidc每次授权都刷新id_token
existingAccessToken = refreshIdToken(existingAccessToken, authentication);
tokenStore.storeAccessToken(existingAccessToken, authentication);
log.info("createAccessToken,isExpired C={}",existingAccessToken);
return existingAccessToken;
}
}
if (refreshToken == null) {
refreshToken = createRefreshToken(authentication);
}
else if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
ExpiringOAuth2RefreshToken expiring = (ExpiringOAuth2RefreshToken) refreshToken;
if (System.currentTimeMillis() > expiring.getExpiration().getTime()) {
refreshToken = createRefreshToken(authentication);
}
}
OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
tokenStore.storeAccessToken(accessToken, authentication);
refreshToken = accessToken.getRefreshToken();
if (refreshToken != null) {
tokenStore.storeRefreshToken(refreshToken, authentication);
}
log.info("createAccessToken,end accessToken={}",accessToken);
return accessToken;
}
}三、AuthenticationProvider详解
3.1 AuthenticationProvider多个实现类
如果项目中定义了多个AuthenticationProvider实现类,那登录时,怎么判断用哪个AuthenticationProvider实现类?我们可以通过源码来找到答案
1、MobileAuthenticationSecurityConfig
@Component
public class MobileAuthenticationSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
@Autowired
private MyUserDetailsService userDetailsService;
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private SmsVcodeRdsHelper smsVcodeRdsHelper;
@Override
public void configure(HttpSecurity http) {
MobilePasswordAuthenticationProvider provider = new MobilePasswordAuthenticationProvider();
provider.setUserDetailsService(userDetailsService);
provider.setPasswordEncoder(passwordEncoder);
http.authenticationProvider(provider);
MobileSmsAuthenticationProvider smsProvider = new MobileSmsAuthenticationProvider();
smsProvider.setUserDetailsService(userDetailsService);
smsProvider.setSmsVcodeRdsHelper(smsVcodeRdsHelper);
http.authenticationProvider(smsProvider);
MobileOneKeyAuthenticationProvider oneKeyProvider = new MobileOneKeyAuthenticationProvider();
oneKeyProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(oneKeyProvider);
VisitorAuthenticationProvider visitorAuthenticationProvider = new VisitorAuthenticationProvider();
visitorAuthenticationProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(visitorAuthenticationProvider);
QRCodeAuthenticationProvider qrCodeAuthenticationProvider = new QRCodeAuthenticationProvider();
qrCodeAuthenticationProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(qrCodeAuthenticationProvider);
SocialAuthenticationProvider socialAuthenticationProvider = new SocialAuthenticationProvider();
socialAuthenticationProvider.setUserDetailsService(userDetailsService);
http.authenticationProvider(socialAuthenticationProvider);
}
}2、管理系统登录实现类
@Setter
public class AdminAuthenticationProvider implements AuthenticationProvider {
private QmUserDetailsService userDetailsService;
private PasswordEncoder passwordEncoder;
@Override
public Authentication authenticate(Authentication authentication) {
UsernamePasswordAuthenticationToken authenticationToken = (UsernamePasswordAuthenticationToken) authentication;
String userName = (String) authenticationToken.getPrincipal();
String password = (String) authenticationToken.getCredentials();
UserDetails user = userDetailsService.loadAdminUser(userName);
if (user == null) {
throw new Exception(ResultCode.JWT_USER_INVALID);
}
if(userDetailsService.checkBlock(userName)) {
throw new Exception(ResultCode.JWT_USER_BLOCK);
}
if (!passwordEncoder.matches(password, user.getPassword())) {
userDetailsService.inc(userName);
throw new Exception(ResultCode.JWT_USER_INVALID);
}
UsernamePasswordAuthenticationToken authenticationResult = new UsernamePasswordAuthenticationToken(user, password, user.getAuthorities());
authenticationResult.setDetails(authenticationToken.getDetails());
return authenticationResult;
}
// 重点看这里
@Override
public boolean supports(Class<?> authentication) {
return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}
}3、手机号+密码登录实现类
@Setter
public class MobilePasswordAuthenticationProvider implements AuthenticationProvider {
private QmUserDetailsService userDetailsService;
private PasswordEncoder passwordEncoder;
@Override
public Authentication authenticate(Authentication authentication) {
MobilePasswordAuthenticationToken authenticationToken = (MobilePasswordAuthenticationToken) authentication;
String mobile = (String) authenticationToken.getPrincipal();
String password = (String) authenticationToken.getCredentials();
SecurityUser user = userDetailsService.loadUserByMobile(mobile);
if (user == null) {
throw new QiMiaoException(ResultCode.JWT_USER_INVALID);
}
if(userDetailsService.checkBlock(mobile)) {
throw new QiMiaoException(ResultCode.JWT_USER_BLOCK);
}
if (!passwordEncoder.matches(password, user.getPassword())) {
userDetailsService.inc(mobile);
throw new QiMiaoException(ResultCode.JWT_USER_INVALID_PWD);
}
Map<String, String> parameters = (Map<String, String>)authenticationToken.getDetails();
if(null != parameters.get("platform")) {
user.setPlatform(parameters.get("platform"));
}
MobilePasswordAuthenticationToken authenticationResult = new MobilePasswordAuthenticationToken(user, password, user.getAuthorities());
authenticationResult.setDetails(authenticationToken.getDetails());
return authenticationResult;
}
// 重点看这里
@Override
public boolean supports(Class<?> authentication) {
return MobilePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}
}4、MobilePasswordAuthenticationToken
package com.alanchen.ac;
public class MobilePasswordAuthenticationToken extends AbstractAuthenticationToken {
private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;
private final Object principal;
private Object credentials;
public MobilePasswordAuthenticationToken(String mobile, String password) {
super(null);
this.principal = mobile;
this.credentials = password;
setAuthenticated(false);
}
public MobilePasswordAuthenticationToken(Object principal, Object credentials,
Collection<? extends GrantedAuthority> authorities) {
super(authorities);
this.principal = principal;
this.credentials = credentials;
super.setAuthenticated(true);
}
@Override
public Object getCredentials() {
return this.credentials;
}
@Override
public Object getPrincipal() {
return this.principal;
}
@Override
public void setAuthenticated(boolean isAuthenticated) {
if (isAuthenticated) {
throw new IllegalArgumentException(
"Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
}
super.setAuthenticated(false);
}
@Override
public void eraseCredentials() {
super.eraseCredentials();
}
}3.2 AuthenticationProvider源码
首先进入到AuthenticationProvider源码中可以看到它只是个简单的接口里面也只有两个方法:
public interface AuthenticationProvider {
// 具体认证流程
Authentication authenticate(Authentication authentication)
throws AuthenticationException;
// supports函数用来指明该Provider是否适用于该类型的认证,如果不合适,则寻找另一个Provider进行验证处理。
boolean supports(Class<?> authentication);
}3.3 ProviderManager源码
ProviderManager提供了一个list对AuthenticationProvider进行统一管理,即一个认证处理器链来支持同一个应用中的多个不同身份认证机制,ProviderManager将会根据顺序来进行验证。
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
Class<? extends Authentication> toTest = authentication.getClass();
AuthenticationException lastException = null;
AuthenticationException parentException = null;
Authentication result = null;
Authentication parentResult = null;
boolean debug = logger.isDebugEnabled();
Iterator var8 = this.getProviders().iterator();
while(var8.hasNext()) {
AuthenticationProvider provider = (AuthenticationProvider)var8.next();
//这里调用的就是AuthenticationProvider的方法supports(),如果项目中定义了多个AuthenticationProvider,则是通过这里判断来取哪一个AuthenticationProvider实现类
if (provider.supports(toTest)) {
if (debug) {
logger.debug("Authentication attempt using " + provider.getClass().getName());
}
try {
result = provider.authenticate(authentication);
if (result != null) {
this.copyDetails(authentication, result);
break;
}
} catch (InternalAuthenticationServiceException | AccountStatusException var13) {
this.prepareException(var13, authentication);
throw var13;
} catch (AuthenticationException var14) {
lastException = var14;
}
}
}
//省略代码
}3.4 手机号+密码Granter
重点关注该类中的:
1、MobilePasswordAuthenticationToken
2、SecurityGrantType.APP_PWD.getCode(),和Controller.pwdLogin里的grant_type是同一个类型。
public class MobilePwdGranter extends AbstractTokenGranter {
private final AuthenticationManager authenticationManager;
public MobilePwdGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices
, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory) {
super(tokenServices, clientDetailsService, requestFactory, SecurityGrantType.APP_PWD.getCode());
this.authenticationManager = authenticationManager;
}
@Override
protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) {
Map<String, String> parameters = new LinkedHashMap<>(tokenRequest.getRequestParameters());
String mobile = parameters.get("mobile");
String password = parameters.get("password");
// Protect from downstream leaks of password
parameters.remove("password");
Authentication userAuth = new MobilePasswordAuthenticationToken(mobile, password);
((AbstractAuthenticationToken) userAuth).setDetails(parameters);
userAuth = authenticationManager.authenticate(userAuth);
if (userAuth == null || !userAuth.isAuthenticated()) {
throw new InvalidGrantException("Could not authenticate mobile: " + mobile);
}
OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest);
return new OAuth2Authentication(storedOAuth2Request, userAuth);
}
}
3.5 TokenGranter配置
@Configuration
public class TokenGranterConfig {
@Autowired
private ClientDetailsService clientDetailsService;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private TokenStore tokenStore;
@Autowired(required = false)
private List<TokenEnhancer> tokenEnhancer;
@Autowired
private RandomValueAuthorizationCodeServices authorizationCodeServices;
private boolean reuseRefreshToken = true;
private AuthorizationServerTokenServices tokenServices;
private TokenGranter tokenGranter;
/**
* 授权模式
*/
@Bean
public TokenGranter tokenGranter() {
if (tokenGranter == null) {
tokenGranter = new TokenGranter() {
private CompositeTokenGranter delegate;
@Override
public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
if (delegate == null) {
delegate = new CompositeTokenGranter(getAllTokenGranters());
}
return delegate.grant(grantType, tokenRequest);
}
};
}
return tokenGranter;
}
/**
* 所有授权模式:默认的5种模式 + 自定义的模式
*/
private List<TokenGranter> getAllTokenGranters() {
AuthorizationServerTokenServices tokenServices = tokenServices();
AuthorizationCodeServices authorizationCodeServices = authorizationCodeServices();
OAuth2RequestFactory requestFactory = requestFactory();
//获取默认的授权模式
List<TokenGranter> tokenGranters = getDefaultTokenGranters(tokenServices, authorizationCodeServices, requestFactory);
if (authenticationManager != null) {
// 添加social模式
tokenGranters.add(new SocialGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
// 添加手机号加密码授权模式
tokenGranters.add(new MobilePwdGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
// 添加手机号加密码授权模式
tokenGranters.add(new MobileSmsGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
tokenGranters.add(new AdminPwdGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
tokenGranters.add(new MobileOneKeyGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
tokenGranters.add(new VisitorGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
tokenGranters.add(new QRCodeGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
}
return tokenGranters;
}
/**
* 默认的授权模式
*/
private List<TokenGranter> getDefaultTokenGranters(AuthorizationServerTokenServices tokenServices
, AuthorizationCodeServices authorizationCodeServices, OAuth2RequestFactory requestFactory) {
List<TokenGranter> tokenGranters = new ArrayList<>();
// 添加授权码模式
tokenGranters.add(new AuthorizationCodeTokenGranter(tokenServices, authorizationCodeServices, clientDetailsService, requestFactory));
// 添加刷新令牌的模式
tokenGranters.add(new RefreshTokenGranter(tokenServices, clientDetailsService, requestFactory));
// 添加隐士授权模式
tokenGranters.add(new ImplicitTokenGranter(tokenServices, clientDetailsService, requestFactory));
// 添加客户端模式
tokenGranters.add(new ClientCredentialsTokenGranter(tokenServices, clientDetailsService, requestFactory));
if (authenticationManager != null) {
// 添加密码模式
tokenGranters.add(new ResourceOwnerPasswordTokenGranter(authenticationManager, tokenServices, clientDetailsService, requestFactory));
}
return tokenGranters;
}
private AuthorizationServerTokenServices tokenServices() {
if (tokenServices != null) {
return tokenServices;
}
this.tokenServices = createDefaultTokenServices();
return tokenServices;
}
private AuthorizationCodeServices authorizationCodeServices() {
if (authorizationCodeServices == null) {
authorizationCodeServices = new InMemoryAuthorizationCodeServices();
}
return authorizationCodeServices;
}
private OAuth2RequestFactory requestFactory() {
return new DefaultOAuth2RequestFactory(clientDetailsService);
}
private DefaultTokenServices createDefaultTokenServices() {
//token互踢
DefaultTokenServices tokenServices = new CustomTokenServices(true);
tokenServices.setTokenStore(tokenStore);
tokenServices.setSupportRefreshToken(true);
tokenServices.setReuseRefreshToken(reuseRefreshToken);
tokenServices.setClientDetailsService(clientDetailsService);
tokenServices.setTokenEnhancer(tokenEnhancer());
addUserDetailsService(tokenServices, this.userDetailsService);
return tokenServices;
}
private TokenEnhancer tokenEnhancer() {
if (tokenEnhancer != null) {
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(tokenEnhancer);
return tokenEnhancerChain;
}
return null;
}
private void addUserDetailsService(DefaultTokenServices tokenServices, UserDetailsService userDetailsService) {
if (userDetailsService != null) {
PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
provider.setPreAuthenticatedUserDetailsService(new UserDetailsByNameServiceWrapper<>(userDetailsService));
tokenServices.setAuthenticationManager(new ProviderManager(Collections.singletonList(provider)));
}
}
}四、生成toekn详解
生成token前,先从tokenStore里去toeken,看是否已经存在,如果存在则执行挤下线逻辑。tokenStore对应的是实现类com.auth.store.CustomRedisTokenStore。
4.1 TokenStore配置类
@Configuration
public class AuthRedisTokenStore {
@Bean
public TokenStore tokenStore(RedisConnectionFactory connectionFactory, RedisSerializer<Object> redisValueSerializer) {
return new CustomRedisTokenStore(connectionFactory, redisValueSerializer);
}
}4.2 TokenStore实现类
/**
* 优化自Spring Security的RedisTokenStore
* 1. 支持redis所有集群模式包括cluster模式
* 2. 使用pipeline减少连接次数,提升性能
* 3. 自动续签token
*/
@Slf4j
public class CustomRedisTokenStore implements TokenStore {
private static final String ACCESS = "{auth}access:";
private static final String AUTH_TO_ACCESS = "{auth}auth_to_access:";
private static final String REFRESH_AUTH = "{auth}refresh_auth:";
private static final String ACCESS_TO_REFRESH = "{auth}access_to_refresh:";
private static final String REFRESH = "{auth}refresh:";
private static final String REFRESH_TO_ACCESS = "{auth}refresh_to_access:";
private static final String RELATION_ID_TOKEN = "{auth}relation_id_token:";
private static final boolean springDataRedis_2_0 = ClassUtils.isPresent(
"org.springframework.data.redis.connection.RedisStandaloneConfiguration",
RedisTokenStore.class.getClassLoader());
private final RedisConnectionFactory connectionFactory;
private AuthenticationKeyGenerator authenticationKeyGenerator = new DefaultAuthenticationKeyGenerator();
private RedisTokenStoreSerializationStrategy serializationStrategy = new JdkSerializationStrategy();
private String prefix = "";
private Method redisConnectionSet_2_0;
/**
* 业务redis的value序列化
*/
private RedisSerializer<Object> redisValueSerializer;
public CustomRedisTokenStore(RedisConnectionFactory connectionFactory, RedisSerializer<Object> redisValueSerializer) {
this.connectionFactory = connectionFactory;
this.redisValueSerializer = redisValueSerializer;
if (springDataRedis_2_0) {
this.loadRedisConnectionMethods_2_0();
}
}
public void setAuthenticationKeyGenerator(AuthenticationKeyGenerator authenticationKeyGenerator) {
this.authenticationKeyGenerator = authenticationKeyGenerator;
}
public void setSerializationStrategy(RedisTokenStoreSerializationStrategy serializationStrategy) {
this.serializationStrategy = serializationStrategy;
}
public void setPrefix(String prefix) {
this.prefix = prefix;
}
private void loadRedisConnectionMethods_2_0() {
this.redisConnectionSet_2_0 = ReflectionUtils.findMethod(
RedisConnection.class, "set", byte[].class, byte[].class);
}
private RedisConnection getConnection() {
return connectionFactory.getConnection();
}
private byte[] serialize(Object object) {
return serializationStrategy.serialize(object);
}
private byte[] serializeKey(String object) {
return serialize(prefix + object);
}
private OAuth2AccessToken deserializeAccessToken(byte[] bytes) {
return serializationStrategy.deserialize(bytes, OAuth2AccessToken.class);
}
private OAuth2Authentication deserializeAuthentication(byte[] bytes) {
return serializationStrategy.deserialize(bytes, OAuth2Authentication.class);
}
private OAuth2RefreshToken deserializeRefreshToken(byte[] bytes) {
return serializationStrategy.deserialize(bytes, OAuth2RefreshToken.class);
}
private ClientDetails deserializeClientDetails(byte[] bytes) {
return (ClientDetails)redisValueSerializer.deserialize(bytes);
}
private byte[] serialize(String string) {
return serializationStrategy.serialize(string);
}
private String deserializeString(byte[] bytes) {
return serializationStrategy.deserializeString(bytes);
}
@Override
public OAuth2AccessToken getAccessToken(OAuth2Authentication authentication) {
String key = authenticationKeyGenerator.extractKey(authentication);
byte[] serializedKey = serializeKey(AUTH_TO_ACCESS + key);
byte[] bytes;
RedisConnection conn = getConnection();
try {
bytes = conn.get(serializedKey);
} finally {
conn.close();
}
OAuth2AccessToken accessToken = deserializeAccessToken(bytes);
if (accessToken != null) {
OAuth2Authentication storedAuthentication = readAuthentication(accessToken.getValue());
if ((storedAuthentication == null || !key.equals(authenticationKeyGenerator.extractKey(storedAuthentication)))) {
// Keep the stores consistent (maybe the same user is
// represented by this authentication but the details have
// changed)
storeAccessToken(accessToken, authentication);
}
}
return accessToken;
}
@Override
public OAuth2Authentication readAuthentication(OAuth2AccessToken token) {
OAuth2Authentication auth2Authentication = readAuthentication(token.getValue());
//是否开启token续签
boolean isRenew = true;
if (isRenew && auth2Authentication != null) {
OAuth2Request clientAuth = auth2Authentication.getOAuth2Request();
//判断当前应用是否需要自动续签
if (checkRenewClientId(clientAuth.getClientId())) {
//获取过期时长
int validitySeconds = 2592000;
double expiresRatio = token.getExpiresIn() / (double)validitySeconds;
//判断是否需要续签,当前剩余时间小于过期时长的50%则续签
if (expiresRatio <= 0.5) {
//更新AccessToken过期时间
DefaultOAuth2AccessToken oAuth2AccessToken = (DefaultOAuth2AccessToken) token;
oAuth2AccessToken.setExpiration(new Date(System.currentTimeMillis() + (validitySeconds * 1000L)));
storeAccessToken(oAuth2AccessToken, auth2Authentication, true);
}
}
}
return auth2Authentication;
}
/**
* 判断应用自动续签是否满足白名单和黑名单的过滤逻辑 后期看需求是否需要
* @param clientId 应用id
* @return 是否满足
*/
private boolean checkRenewClientId(String clientId) {
boolean result = true;
return result;
}
public String getToken(String id){
byte[] relationIdTokenKey = getRelationIdTokenKey(id);
RedisConnection conn = getConnection();
try {
byte[] bytes = conn.get(relationIdTokenKey);
return deserializeString(bytes);
} finally {
conn.close();
}
}
/**
* 获取token的总有效时长
* @param clientId 应用id
*/
private int getAccessTokenValiditySeconds(String clientId) {
RedisConnection conn = getConnection();
byte[] bytes;
try {
bytes = conn.get(serializeKey(SecurityConstants.CACHE_CLIENT_KEY + ":" + clientId));
} finally {
conn.close();
}
if (bytes != null) {
ClientDetails clientDetails = deserializeClientDetails(bytes);
if (clientDetails.getAccessTokenValiditySeconds() != null) {
return clientDetails.getAccessTokenValiditySeconds();
}
}
//返回默认值
return SecurityConstants.ACCESS_TOKEN_VALIDITY_SECONDS;
}
@Override
public OAuth2Authentication readAuthentication(String token) {
byte[] bytes;
RedisConnection conn = getConnection();
try {
bytes = conn.get(serializeKey(SecurityConstants.REDIS_TOKEN_AUTH + token));
} finally {
conn.close();
}
return deserializeAuthentication(bytes);
}
@Override
public OAuth2Authentication readAuthenticationForRefreshToken(OAuth2RefreshToken token) {
return readAuthenticationForRefreshToken(token.getValue());
}
public OAuth2Authentication readAuthenticationForRefreshToken(String token) {
RedisConnection conn = getConnection();
try {
byte[] bytes = conn.get(serializeKey(REFRESH_AUTH + token));
return deserializeAuthentication(bytes);
} finally {
conn.close();
}
}
@Override
public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication) {
storeAccessToken(token, authentication, false);
}
private byte[] getRelationIdTokenKey(String id){
return serializeKey(RELATION_ID_TOKEN + id);
}
private byte[] getRelationIdTokenKey(OAuth2Authentication authentication){
byte[] relationIdTokenKey = null;
Object obj = authentication.getPrincipal();
Object details = authentication.getUserAuthentication().getDetails();
if(obj!=null && details!=null){
if(obj instanceof SecurityUser && details instanceof HashMap){
SecurityUser user = (SecurityUser)obj;
Map map = (Map)details;
String clientId = String.valueOf(map.get("client_id"));
Long userId = user.getId();
relationIdTokenKey = serializeKey(RELATION_ID_TOKEN +clientId+":"+userId);
}
}else{
log.error("storeAccessToken 没有取到principal");
}
return relationIdTokenKey;
}
public SecurityUser getSecurityUser(String token){
SecurityUser user = null;
OAuth2Authentication auth2Authentication = readAuthentication(token);
if (auth2Authentication != null) {
Object obj = auth2Authentication.getPrincipal();
if (obj!=null && obj instanceof SecurityUser) {
user = (SecurityUser) obj;
}else{
log.error("getSecurityUser:解析User失败,"+obj);
}
}else{
log.error("getSecurityUser:auth2Authentication 为nuLl");
}
return user;
}
/**
* 存储token
* @param isRenew 是否续签
*/
private void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authentication, boolean isRenew) {
byte[] serializedAccessToken = serialize(token);
byte[] serializedAuth = serialize(authentication);
byte[] serializedToken = serialize(token.getValue());
byte[] accessKey = serializeKey(ACCESS + token.getValue());
byte[] authKey = serializeKey(SecurityConstants.REDIS_TOKEN_AUTH + token.getValue());
byte[] authToAccessKey = serializeKey(AUTH_TO_ACCESS + authenticationKeyGenerator.extractKey(authentication));
byte[] approvalKey = serializeKey(SecurityConstants.REDIS_UNAME_TO_ACCESS + getApprovalKey(authentication));
byte[] clientId = serializeKey(SecurityConstants.REDIS_CLIENT_ID_TO_ACCESS + authentication.getOAuth2Request().getClientId());
byte[] relationIdTokenKey = getRelationIdTokenKey(authentication);
RedisConnection conn = getConnection();
try {
byte[] oldAccessToken = conn.get(accessKey);
//如果token已存在,并且不是续签的话直接返回
if (!isRenew && oldAccessToken != null) {
return;
}
conn.openPipeline();
if (springDataRedis_2_0) {
try {
this.redisConnectionSet_2_0.invoke(conn, accessKey, serializedAccessToken);
this.redisConnectionSet_2_0.invoke(conn, authKey, serializedAuth);
this.redisConnectionSet_2_0.invoke(conn, authToAccessKey, serializedAccessToken);
if(relationIdTokenKey!=null){
this.redisConnectionSet_2_0.invoke(conn, relationIdTokenKey, serializedToken);
}
} catch (Exception ex) {
throw new RuntimeException(ex);
}
} else {
conn.set(accessKey, serializedAccessToken);
conn.set(authKey, serializedAuth);
conn.set(authToAccessKey, serializedAccessToken);
if(relationIdTokenKey!=null){
conn.set(relationIdTokenKey, serializedToken);
}
}
//如果是续签token,需要先删除集合里旧的值
if (oldAccessToken != null) {
if (!authentication.isClientOnly()) {
conn.lRem(approvalKey, 1, oldAccessToken);
}
conn.lRem(clientId, 1, oldAccessToken);
}
if (!authentication.isClientOnly()) {
conn.rPush(approvalKey, serializedAccessToken);
}
conn.rPush(clientId, serializedAccessToken);
if (token.getExpiration() != null) {
int seconds = token.getExpiresIn();
conn.expire(accessKey, seconds);
conn.expire(authKey, seconds);
conn.expire(authToAccessKey, seconds);
conn.expire(clientId, seconds);
conn.expire(approvalKey, seconds);
}
OAuth2RefreshToken refreshToken = token.getRefreshToken();
if (refreshToken != null && refreshToken.getValue() != null) {
byte[] refresh = serialize(token.getRefreshToken().getValue());
byte[] auth = serialize(token.getValue());
byte[] refreshToAccessKey = serializeKey(REFRESH_TO_ACCESS + token.getRefreshToken().getValue());
byte[] accessToRefreshKey = serializeKey(ACCESS_TO_REFRESH + token.getValue());
if (springDataRedis_2_0) {
try {
this.redisConnectionSet_2_0.invoke(conn, refreshToAccessKey, auth);
this.redisConnectionSet_2_0.invoke(conn, accessToRefreshKey, refresh);
} catch (Exception ex) {
throw new RuntimeException(ex);
}
} else {
conn.set(refreshToAccessKey, auth);
conn.set(accessToRefreshKey, refresh);
}
expireRefreshToken(refreshToken, conn, refreshToAccessKey, accessToRefreshKey);
}
conn.closePipeline();
} finally {
conn.close();
}
}
private static String getApprovalKey(OAuth2Authentication authentication) {
String userName = authentication.getUserAuthentication() == null ? ""
: authentication.getUserAuthentication().getName();
return getApprovalKey(authentication.getOAuth2Request().getClientId(), userName);
}
private static String getApprovalKey(String clientId, String userName) {
return clientId + (userName == null ? "" : ":" + userName);
}
@Override
public void removeAccessToken(OAuth2AccessToken accessToken) {
removeAccessToken(accessToken.getValue());
}
@Override
public OAuth2AccessToken readAccessToken(String tokenValue) {
byte[] key = serializeKey(ACCESS + tokenValue);
byte[] bytes;
RedisConnection conn = getConnection();
try {
bytes = conn.get(key);
} finally {
conn.close();
}
return deserializeAccessToken(bytes);
}
public void removeAccessToken(String tokenValue) {
byte[] accessKey = serializeKey(ACCESS + tokenValue);
byte[] authKey = serializeKey(SecurityConstants.REDIS_TOKEN_AUTH + tokenValue);
byte[] accessToRefreshKey = serializeKey(ACCESS_TO_REFRESH + tokenValue);
RedisConnection conn = getConnection();
try {
byte[] access = conn.get(accessKey);
byte[] auth = conn.get(authKey);
conn.openPipeline();
conn.del(accessKey);
conn.del(accessToRefreshKey);
// Don't remove the refresh token - it's up to the caller to do that
conn.del(authKey);
conn.closePipeline();
OAuth2Authentication authentication = deserializeAuthentication(auth);
if (authentication != null) {
String key = authenticationKeyGenerator.extractKey(authentication);
byte[] relationIdTokenKey = getRelationIdTokenKey(authentication);
byte[] authToAccessKey = serializeKey(AUTH_TO_ACCESS + key);
byte[] unameKey = serializeKey(SecurityConstants.REDIS_UNAME_TO_ACCESS + getApprovalKey(authentication));
byte[] clientId = serializeKey(SecurityConstants.REDIS_CLIENT_ID_TO_ACCESS + authentication.getOAuth2Request().getClientId());
conn.openPipeline();
conn.del(authToAccessKey);
conn.lRem(unameKey, 1, access);
conn.lRem(clientId, 1, access);
conn.del(serialize(ACCESS + key));
if(relationIdTokenKey!=null){
conn.del(relationIdTokenKey);
}
conn.closePipeline();
}
} catch (Exception e){
e.printStackTrace();
log.error("removeAccessToken 失败:{}",e.getMessage());
}finally {
conn.close();
}
}
@Override
public void storeRefreshToken(OAuth2RefreshToken refreshToken, OAuth2Authentication authentication) {
RedisConnection conn = getConnection();
try {
byte[] refreshKey = serializeKey(REFRESH + refreshToken.getValue());
byte[] refreshAuthKey = serializeKey(REFRESH_AUTH + refreshToken.getValue());
byte[] serializedRefreshToken = serialize(refreshToken);
conn.openPipeline();
if (springDataRedis_2_0) {
try {
this.redisConnectionSet_2_0.invoke(conn, refreshKey, serializedRefreshToken);
this.redisConnectionSet_2_0.invoke(conn, refreshAuthKey, serialize(authentication));
} catch (Exception ex) {
throw new RuntimeException(ex);
}
} else {
conn.set(refreshKey, serializedRefreshToken);
conn.set(refreshAuthKey, serialize(authentication));
}
expireRefreshToken(refreshToken, conn, refreshKey, refreshAuthKey);
conn.closePipeline();
} catch (Exception e){
e.printStackTrace();
log.error("storeRefreshToken 失败:{}",e.getMessage());
}finally {
conn.close();
}
}
private void expireRefreshToken(OAuth2RefreshToken refreshToken, RedisConnection conn, byte[] refreshKey, byte[] refreshAuthKey) {
if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
ExpiringOAuth2RefreshToken expiringRefreshToken = (ExpiringOAuth2RefreshToken) refreshToken;
Date expiration = expiringRefreshToken.getExpiration();
if (expiration != null) {
int seconds = Long.valueOf((expiration.getTime() - System.currentTimeMillis()) / 1000L)
.intValue();
conn.expire(refreshKey, seconds);
conn.expire(refreshAuthKey, seconds);
}
}
}
@Override
public OAuth2RefreshToken readRefreshToken(String tokenValue) {
byte[] key = serializeKey(REFRESH + tokenValue);
byte[] bytes;
RedisConnection conn = getConnection();
try {
bytes = conn.get(key);
} finally {
conn.close();
}
return deserializeRefreshToken(bytes);
}
@Override
public void removeRefreshToken(OAuth2RefreshToken refreshToken) {
removeRefreshToken(refreshToken.getValue());
}
public void removeRefreshToken(String tokenValue) {
RedisConnection conn = getConnection();
try {
byte[] refreshKey = serializeKey(REFRESH + tokenValue);
byte[] refreshAuthKey = serializeKey(REFRESH_AUTH + tokenValue);
byte[] refresh2AccessKey = serializeKey(REFRESH_TO_ACCESS + tokenValue);
byte[] access2RefreshKey = serializeKey(ACCESS_TO_REFRESH + tokenValue);
conn.openPipeline();
conn.del(refreshKey);
conn.del(refreshAuthKey);
conn.del(refresh2AccessKey);
conn.del(access2RefreshKey);
conn.closePipeline();
} catch (Exception e){
e.printStackTrace();
log.error("removeRefreshToken 失败:{}",e.getMessage());
}finally {
conn.close();
}
}
@Override
public void removeAccessTokenUsingRefreshToken(OAuth2RefreshToken refreshToken) {
removeAccessTokenUsingRefreshToken(refreshToken.getValue());
}
private void removeAccessTokenUsingRefreshToken(String refreshToken) {
byte[] key = serializeKey(REFRESH_TO_ACCESS + refreshToken);
RedisConnection conn = getConnection();
byte[] bytes = null;
try {
bytes = conn.get(key);
conn.del(key);
} finally {
conn.close();
}
if (bytes == null) {
return;
}
String accessToken = deserializeString(bytes);
if (accessToken != null) {
removeAccessToken(accessToken);
}
}
@Override
public Collection<OAuth2AccessToken> findTokensByClientIdAndUserName(String clientId, String userName) {
byte[] approvalKey = serializeKey(SecurityConstants.REDIS_UNAME_TO_ACCESS + getApprovalKey(clientId, userName));
List<byte[]> byteList;
RedisConnection conn = getConnection();
try {
byteList = conn.lRange(approvalKey, 0, -1);
} finally {
conn.close();
}
return getTokenCollections(byteList);
}
@Override
public Collection<OAuth2AccessToken> findTokensByClientId(String clientId) {
byte[] key = serializeKey(SecurityConstants.REDIS_CLIENT_ID_TO_ACCESS + clientId);
List<byte[]> byteList;
RedisConnection conn = getConnection();
try {
byteList = conn.lRange(key, 0, -1);
} finally {
conn.close();
}
return getTokenCollections(byteList);
}
private Collection<OAuth2AccessToken> getTokenCollections(List<byte[]> byteList) {
if (byteList == null || byteList.size() == 0) {
return Collections.emptySet();
}
List<OAuth2AccessToken> accessTokens = new ArrayList<>(byteList.size());
for (byte[] bytes : byteList) {
OAuth2AccessToken accessToken = deserializeAccessToken(bytes);
accessTokens.add(accessToken);
}
return Collections.unmodifiableCollection(accessTokens);
}
}五、token续期
方式:后端自动续期,APP前端不用处理。
在gateway服务中,每次校验token时,如果token离过期时间小于24小时,则自动续期。
5.1 gateway服务代码
public class CustomAuthenticationManager implements ReactiveAuthenticationManager {
private TokenStore tokenStore;
public CustomAuthenticationManager(TokenStore tokenStore) {
this.tokenStore = tokenStore;
}
@Override
public Mono<Authentication> authenticate(Authentication authentication) {
return Mono.justOrEmpty(authentication)
.filter(a -> a instanceof BearerTokenAuthenticationToken)
.cast(BearerTokenAuthenticationToken.class)
.map(BearerTokenAuthenticationToken::getToken)
.flatMap((accessTokenValue -> {
OAuth2AccessToken accessToken = tokenStore.readAccessToken(accessTokenValue);
if (accessToken == null) {
throw new AlanChenException(ResultCode.UNAUTHORIZED,"登录状态失效");
} else if (accessToken.isExpired()) {
throw new AlanChenException(ResultCode.UNAUTHORIZED,"登录状态失效");
} else {
OAuth2RefreshToken refreshToken= tokenStore.readRefreshToken(accessToken.getRefreshToken().getValue());
if(null == refreshToken) {
throw new AlanChenException(ResultCode.JWT_OFFLINE,"账号在其他设备登录了");
}
}
// token续期代码在readAuthentication方法里
OAuth2Authentication result = tokenStore.readAuthentication(accessToken);
if (result == null) {
throw new AlanChenException(ResultCode.FORBIDDEN,"没有权限");
}
return Mono.just(result);
}))
.cast(Authentication.class);
}
}注意:gateway这里取token不是直接用的App前端传过来的token,而是通过Authentication来取的,这有这样后端token续期了才会有效。
5.2 CustomRedisTokenStore代码
@Slf4j
public class CustomRedisTokenStore implements TokenStore {
//其他代码省略
@Override
public OAuth2Authentication readAuthentication(OAuth2AccessToken token) {
OAuth2Authentication auth2Authentication = readAuthentication(token.getValue());
if (auth2Authentication != null) {
//获取过期时长
int validitySeconds = 2592000; //2592000
int expiresRatio = validitySeconds - token.getExpiresIn();
//判断是否需要续签,当前剩余时间小于过期时长的24小时则续签
if (expiresRatio >= 24 * 3600) {
//更新AccessToken过期时间
DefaultOAuth2AccessToken oAuth2AccessToken = (DefaultOAuth2AccessToken) token;
Date expiration = new Date(System.currentTimeMillis() + (validitySeconds * 1000L));
oAuth2AccessToken.setExpiration(expiration);
storeAccessToken(oAuth2AccessToken, auth2Authentication, true);
OAuth2RefreshToken refreshToken = new DefaultExpiringOAuth2RefreshToken(token.getRefreshToken().getValue(), expiration);
storeRefreshToken(refreshToken, auth2Authentication);
}
}
return auth2Authentication;
}
}以上就是OAuth2生成token代码备忘实现过程示例的详细内容,更多关于OAuth2生成token代码备忘的资料请关注脚本之家其它相关文章!