【安全篇】Spring Boot 整合 Spring Authorization Server

写在最前

• Spring 团队正式宣布 Spring Security OAuth 停止维护，该项目将不会再进行任何的迭代；
• 目前 Spring 生态中的 OAuth2 授权服务器是 Spring Authorization Server 已经可以正式生产使用；
• 作为 SpringBoot 3.0 的过渡版本 SpringBoot 2.7.0 过期了大量关于 SpringSecurity 的配置类，如沿用旧版本过期配置无法向上升级；
• 可以阅读【安全篇】Spring Boot 整合 Spring Security 安全框架，学习一下 Spring Security OAuth 认证；

Spring Authorization Server

Demo 地址：mingyue-springboot-sas

Spring Authorization Server （以下简称 SAS）是 Spring 团队最新开发适配 OAuth 协议的授权服务器项目，旨在替代原有的 Spring Security OAuth Server。目前已经发布了 0.3.1 版本，已支持授权码、客户端、刷新、注销等 OAuth 协议。SAS 项目已经迁移至官方正式仓库维护，成为官方的正式子项目。

Spring Boot 整合 SAS

1.添加依赖

<!-- SAS 依赖 --><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-oauth2-authorization-server</artifactId><version>0.3.1</version></dependency><!-- Springboot Security --><dependency><groupId>org.springframework.boot</groupId><artifactId>spring-boot-starter-security</artifactId></dependency>

2.授权码模式认证

2.1.获取授权码

账号：mingyue

密码：123456

http://localhost:3000/oauth2/authorize?client_id=baidu&client_secret=baidu&response_type=code&redirect_uri=https://www.baidu.com

2.2.获取令牌

curl --location --request POST 'http://localhost:3000/oauth2/token'\
--header 'Authorization: Basic YmFpZHU6YmFpZHU='\
--header 'Content-Type: application/x-www-form-urlencoded'\
--data-urlencode 'grant_type=authorization_code'\
--data-urlencode 'code=hrzQ4UpL5fJ6oeYbKhiWITQF_1ZKNDZ5ahtX7O0nM-59bsTE75389_A1iVjF8V1rFTDCzOvX66kS7fFyGpakvj0HUUCWg-Br0hRcx5IXYlwi8osLoZrsdsOaUE7eEgwq'\
--data-urlencode 'redirect_uri=https://www.baidu.com'

返回示例：

{"access_toke n":"cM_htxUi2r7s5YqmZ31fqmWSGroJcnFIxMdfbscP9N0wd8NWx9j3qeH-C6Iej6lxKVRp0QLA3kDQgmKkvrXTGz3bhlqAkoFv8bR-QeqdCuUBks9bVcU9986stEF9k2bs","refresh_token":"ZaOys78E8VqESI9wAY5ISD2JWbPhOELnpICeiO6vPcE7bJik7qG-NWI59hXW6uw2lSJjrYzrxzFqohBk0TpA28Mj1_i030JiYniAf9hNWPt5iN0dld6J40y3fKfD_7Uq","token_type":"Bearer","expires_in":299}

2.3.刷新令牌

curl --location --request POST 'http://localhost:3000/oauth2/token'\
--header 'Authorization: Basic YmFpZHU6YmFpZHU='\
--header 'Content-Type: application/x-www-form-urlencoded'\
--data-urlencode 'grant_type=refresh_token'\
--data-urlencode 'refresh_token=ZaOys78E8VqESI9wAY5ISD2JWbPhOELnpICeiO6vPcE7bJik7qG-NWI59hXW6uw2lSJjrYzrxzFqohBk0TpA28Mj1_i030JiYniAf9hNWPt5iN0dld6J40y3fKfD_7Uq'

返回示例：

{"access_toke n":"F4ZR5L0BIrfolBh7v65rxvEv1cr5R6URtTftLBO-dYbpwzQQbokUW9TXeWLj3rcYWLHNnBPupIafdPZ8EOEQc50V7bxfXPh-ZmaBTnfBtrjqyVm3GsbLqdG7tY8295Rj","refresh_token":"ZaOys78E8VqESI9wAY5ISD2JWbPhOELnpICeiO6vPcE7bJik7qG-NWI59hXW6uw2lSJjrYzrxzFqohBk0TpA28Mj1_i030JiYniAf9hNWPt5iN0dld6J40y3fKfD_7Uq","token_type":"Bearer","expires_in":300}

2.4.撤销令牌

• 通过 access_token

curl --location --request POST 'http://localhost:3000/oauth2/revoke'\
--header 'Authorization: Basic YmFpZHU6YmFpZHU='\
--header 'Content-Type: application/x-www-form-urlencoded'\
--data-urlencode 'token=F4ZR5L0BIrfolBh7v65rxvEv1cr5R6URtTftLBO-dYbpwzQQbokUW9TXeWLj3rcYWLHNnBPupIafdPZ8EOEQc50V7bxfXPh-ZmaBTnfBtrjqyVm3GsbLqdG7tY8295Rj'\
--data-urlencode 'token_type_hint=access_token'

• 通过 refresh_token

curl --location --request POST 'http://localhost:3000/oauth2/revoke'\
--header 'Authorization: Basic YmFpZHU6YmFpZHU='\
--header 'Content-Type: application/x-www-form-urlencoded'\
--data-urlencode 'token=ZaOys78E8VqESI9wAY5ISD2JWbPhOELnpICeiO6vPcE7bJik7qG-NWI59hXW6uw2lSJjrYzrxzFqohBk0TpA28Mj1_i030JiYniAf9hNWPt5iN0dld6J40y3fKfD_7Uq'\
--data-urlencode 'token_type_hint=refresh_token'

3.密码模式认证

3.1.密码登录

curl -X GET -F 'username=mingyue' -F 'password=123456' http://localhost:3000/password/login

返回示例：

{"access_toke n":"FEIWp8cpWPLeZN9UHfpqj2ZwIqJrDd0pZsntYgj92LgOgM_K5gklmM4dVzuLHdxdgzYIDECZIDDbVS_K385L-Y-JOal6OqNmFdTOBgW7h1-w6HXEvH8A1Jmzxjn8N9dA","refresh_token":"Jb-LNN1cfdryNLgH5XTc3TFYOMKzaBa2tPJb1gAs7kcpL6mjbimzFyWBD18Y9LeHGEHymtpTgDQNiLg_BZkaVbfP3Umxf1QsSxDZRJ8l6XBmg-_zdogIWsYyyHTSrLr1","license":"mingyue","token_type":"Bearer","expires_in":300}

3.2.获取认证信息

curl -X GET -F 'token=FEIWp8cpWPLeZN9UHfpqj2ZwIqJrDd0pZsntYgj92LgOgM_K5gklmM4dVzuLHdxdgzYIDECZIDDbVS_K385L-Y-JOal6OqNmFdTOBgW7h1-w6HXEvH8A1Jmzxjn8N9dA' http://localhost:3000/password/info

返回示例：

{"id":"653afaf5-764f-4c29-a016-cfa5fa1a7694","registeredClientId":"baidu","principalName":"mingyue","authorizationGrantType":{"value":"password"},"attributes":{},"refreshToken":{"token":{"tokenValue":"Jb-LNN1cfdryNLgH5XTc3TFYOMKzaBa2tPJb1gAs7kcpL6mjbimzFyWBD18Y9LeHGEHymtpTgDQNiLg_BZkaVbfP3Umxf1QsSxDZRJ8l6XBmg-_zdogIWsYyyHTSrLr1","issuedAt":"2022-08-01T08:30:46.295Z","expiresAt":"2022-08-01T09:30:46.295Z"},"metadata":{"metadata.token.invalidated":false},"active":true,"claims":null,"expired":false,"invalidated":false,"beforeUse":false},"accessToken":{"token":{"tokenValue":"FEIWp8cpWPLeZN9UHfpqj2ZwIqJrDd0pZsntYgj92LgOgM_K5gklmM4dVzuLHdxdgzYIDECZIDDbVS_K385L-Y-JOal6OqNmFdTOBgW7h1-w6HXEvH8A1Jmzxjn8N9dA","issuedAt":"2022-08-01T08:30:46.295Z","expiresAt":"2022-08-01T08:35:46.295Z","tokenType":{"value":"Bearer"},"scopes":[]},"metadata":{"metadata.token.claims":{"sub":"mingyue","aud":["baidu"],"nbf":"2022-08-01T08:30:46.295Z","exp":"2022-08-01T08:35:46.295Z","iat":"2022-08-01T08:30:46.295Z","jti":"ccae9f3d-8003-4ba3-ae40-89d2f731babc"},"metadata.token.invalidated":false},"active":false,"claims":{"sub":"mingyue","aud":["baidu"],"nbf":"2022-08-01T08:30:46.295Z","exp":"2022-08-01T08:35:46.295Z","iat":"2022-08-01T08:30:46.295Z","jti":"ccae9f3d-8003-4ba3-ae40-89d2f731babc"},"expired":true,"invalidated":false,"beforeUse":false}}