Spring OAuth2 授權服務器配置詳解

前兩篇文章分別體驗了Spring Authorization Server的使用和講解了其各個過濾器的作用。今天來講講Spring Authorization Server授權服務器的配置。強烈建議自己手動搭建一次試試，紙上得來終覺淺，深知此事要躬行。提升你的代碼量才是提高編程技能的不二法門，這也是本篇教程的意義所在。同時也希望多多點贊，轉發(fā)，多多支持作者原創(chuàng)分享。

配置依賴

首先要創(chuàng)建一個Spring Boot Servlet Web項目，這個不難就不贅述了。集成Spring Authorization Server需要引入：

????????
????????<dependency>
????????????<groupId>org.springframework.bootgroupId>
????????????<artifactId>spring-boot-starter-securityartifactId>
????????dependency>
????????<dependency>
????????????<groupId>org.springframework.securitygroupId>
????????????<artifactId>spring-security-oauth2-authorization-serverartifactId>
????????
????????????<version>0.2.0version>
????????dependency>

OAuth2.0 Client客戶端需要注冊到授權服務器并持久化，Spring Authorization Server提供了JDBC實現(xiàn)，參見JdbcRegisteredClientRepository。為了演示方便這里我采用了H2數(shù)據庫，需要以下依賴：

????????
????????<dependency>
????????????<groupId>org.springframework.bootgroupId>
????????????<artifactId>spring-boot-starter-jdbcartifactId>
????????dependency>
????????<dependency>
????????????<groupId>com.h2databasegroupId>
????????????<artifactId>h2artifactId>
????????dependency>

?

生產你可以切換到其它關系型數(shù)據庫，數(shù)據庫腳本在Spring Authorization Server入門 一文的DEMO中。

Spring Authorization Server配置

接下來是Spring Authorization Server的配置。

過濾器鏈配置

根據上一文對過濾器鏈的拆解，我們需要在Spring Security的過濾器鏈中注入一些特定的過濾器。這些過濾器的配置由OAuth2AuthorizationServerConfigurer來完成。以下為默認的配置：

????void?defaultOAuth2AuthorizationServerConfigurer(HttpSecurity?http)?throws?Exception?{
????????OAuth2AuthorizationServerConfigurer?authorizationServerConfigurer?=
????????????????new?OAuth2AuthorizationServerConfigurer<>();
????????//?TODO?你可以根據需求對authorizationServerConfigurer進行一些個性化配置
????????RequestMatcher?authorizationServerEndpointsMatcher?=?authorizationServerConfigurer.getEndpointsMatcher();

????????//?攔截?授權服務器相關的請求端點
????????http.requestMatcher(authorizationServerEndpointsMatcher)
????????????????.authorizeRequests().anyRequest().authenticated().and()
????????????????//?忽略掉相關端點的csrf
????????????????.csrf(csrf?->?csrf.ignoringRequestMatchers(authorizationServerEndpointsMatcher))
????????????????//?開啟form登錄
????????????????.formLogin()
????????????????.and()
????????????????//?應用?授權服務器的配置
????????????????.apply(authorizationServerConfigurer);
????}

?

你可以調用OAuth2AuthorizationServerConfigurer提供的配置方法進行一些個性化配置。

OAuth2.0客戶端信息持久化

這些信息會持久化到數(shù)據庫，Spring Authorization Server提供了三個DDL腳本。在入門教程的DEMO，H2會自動初始化執(zhí)行這些DDL腳本，如果你切換到Mysql等數(shù)據庫，可能需要你自行執(zhí)行。

客戶端配置信息注冊

授權服務器要求客戶端必須是已經注冊的，避免非法的客戶端發(fā)起授權申請。就像你平常去一些開放平臺申請一個ClientID和Secret。下面是定義腳本:

CREATE?TABLE?oauth2_registered_client
(
????id????????????????????????????varchar(100)????????????????????????NOT?NULL,
????client_id?????????????????????varchar(100)????????????????????????NOT?NULL,
????client_id_issued_at???????????timestamp?DEFAULT?CURRENT_TIMESTAMP?NOT?NULL,
????client_secret?????????????????varchar(200)????????????????????????NULL,
????client_secret_expires_at??????timestamp???????????????????????????NULL,
????client_name???????????????????varchar(200)????????????????????????NOT?NULL,
????client_authentication_methods?varchar(1000)???????????????????????NOT?NULL,
????authorization_grant_types?????varchar(1000)???????????????????????NOT?NULL,
????redirect_uris?????????????????varchar(1000)???????????????????????NULL,
????scopes????????????????????????varchar(1000)???????????????????????NOT?NULL,
????client_settings???????????????varchar(2000)???????????????????????NOT?NULL,
????token_settings????????????????varchar(2000)???????????????????????NOT?NULL,
????PRIMARY?KEY?(id)
);

對應的Java類為RegisteredClient:

public?class?RegisteredClient?implements?Serializable?{
?private?static?final?long?serialVersionUID?=?Version.SERIAL_VERSION_UID;
?private?String?id;
?private?String?clientId;
?private?Instant?clientIdIssuedAt;
?private?String?clientSecret;
?private?Instant?clientSecretExpiresAt;
?private?String?clientName;
?private?Set?clientAuthenticationMethods;
?private?Set?authorizationGrantTypes;
?private?Set?redirectUris;
?private?Set?scopes;
?private?ClientSettings?clientSettings;
?private?TokenSettings?tokenSettings;
????
????//?省略
}

定義一個客戶端可以通過下面的Builder方法實現(xiàn)：

????????RegisteredClient?registeredClient?=?RegisteredClient.withId(UUID.randomUUID().toString())
//???????????????唯一的客戶端ID和密碼
????????????????.clientId("felord-client")
????????????????.clientSecret("secret")
//????????????????名稱?可不定義
????????????????.clientName("felord")
//????????????????授權方法
????????????????.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
//????????????????授權類型
????????????????.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
????????????????.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
????????????????.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
//????????????????回調地址名單，不在此列將被拒絕?而且只能使用IP或者域名??不能使用?localhost
????????????????.redirectUri("http://127.0.0.1:8080/login/oauth2/code/felord-oidc")
????????????????.redirectUri("http://127.0.0.1:8080/authorized")
????????????????.redirectUri("http://127.0.0.1:8080/foo/bar")
????????????????.redirectUri("https://baidu.com")
//????????????????OIDC支持
????????????????.scope(OidcScopes.OPENID)
//????????????????其它Scope
????????????????.scope("message.read")
????????????????.scope("message.write")
//????????????????JWT的配置項?包括TTL??是否復用refreshToken等等
????????????????.tokenSettings(TokenSettings.builder().build())
//????????????????配置客戶端相關的配置項，包括驗證密鑰或者?是否需要授權頁面
????????????????.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
????????????????.build();

持久化到數(shù)據庫的RegisteredClient用JSON表示為：

??{
????"id":?"658cd010-4d8c-4824-a8c7-a86b642299af",
????"client_id":?"felord-client",
????"client_id_issued_at":?"2021-11-11?18:01:09",
????"client_secret":?"{bcrypt}$2a$10$XKZ8iUckDcdQWnqw682zV.DVyGuov8Sywx1KyAn4tySsw.Jtltg0.",
????"client_secret_expires_at":?null,
????"client_name":?"felord",
????"client_authentication_methods":?"client_secret_basic",
????"authorization_grant_types":?"refresh_token,client_credentials,authorization_code",
????"redirect_uris":?"http://127.0.0.1:8080/foo/bar,http://127.0.0.1:8080/authorized,http://127.0.0.1:8080/login/oauth2/code/felord-oidc,https://baidu.com",
????"scopes":?"openid,message.read,message.write",
????"client_settings":?"{\"@class\":\"java.util.Collections$UnmodifiableMap\",\"settings.client.require-proof-key\":false,\"settings.client.require-authorization-consent\":true}",
????"token_settings":?"{\"@class\":\"java.util.Collections$UnmodifiableMap\",\"settings.token.reuse-refresh-tokens\":true,\"settings.token.id-token-signature-algorithm\":[\"org.springframework.security.oauth2.jose.jws.SignatureAlgorithm\",\"RS256\"],\"settings.token.access-token-time-to-live\":[\"java.time.Duration\",300.000000000],\"settings.token.refresh-token-time-to-live\":[\"java.time.Duration\",3600.000000000]}"
??}

?

注意上面的配置和你OAuth2.0客戶端應用的配置息息相關。

既然持久化了，那自然需要操作該表的JDBC服務接口了，這個接口為RegisteredClientRepository。我們需要聲明一個實現(xiàn)為Spring Bean，這里選擇基于JDBC的實現(xiàn)：

???@Bean
???public?RegisteredClientRepository?registeredClientRepository(JdbcTemplate?jdbcTemplate)?{
????????return?new?JdbcRegisteredClientRepository(jdbcTemplate);
?????}

別忘記調用save(RegisteredClient)方法把需要注冊的客戶端信息持久化。

?

該實現(xiàn)依賴spring-boot-starter-jdbc類庫，你也可以閑得慌使用Mybatis進行實現(xiàn)。

OAuth2授權信息持久化

記錄授權的資源擁有者（Resource Owner）對某個客戶端的某次授權記錄。對應的Java類為OAuth2Authorization。下面是定義腳本:

CREATE?TABLE?oauth2_authorization
(
????id????????????????????????????varchar(100)??NOT?NULL,
????registered_client_id??????????varchar(100)??NOT?NULL,
????principal_name????????????????varchar(200)??NOT?NULL,
????authorization_grant_type??????varchar(100)??NOT?NULL,
????attributes????????????????????varchar(4000)?NULL,
????state?????????????????????????varchar(500)??NULL,
????authorization_code_value??????blob??????????NULL,
????`authorization_code_issued_at`??timestamp?????NULL,
????authorization_code_expires_at?timestamp?????NULL,
????authorization_code_metadata???varchar(2000)?NULL,
????access_token_value????????????blob??????????NULL,
????access_token_issued_at????????timestamp?????NULL,
????access_token_expires_at???????timestamp?????NULL,
????access_token_metadata?????????varchar(2000)?NULL,
????access_token_type?????????????varchar(100)??NULL,
????access_token_scopes???????????varchar(1000)?NULL,
????oidc_id_token_value???????????blob??????????NULL,
????oidc_id_token_issued_at???????timestamp?????NULL,
????oidc_id_token_expires_at??????timestamp?????NULL,
????oidc_id_token_metadata????????varchar(2000)?NULL,
????refresh_token_value???????????blob??????????NULL,
????refresh_token_issued_at???????timestamp?????NULL,
????refresh_token_expires_at??????timestamp?????NULL,
????refresh_token_metadata????????varchar(2000)?NULL,
????PRIMARY?KEY?(id)
);

?

這里的機制目前還沒有研究，先挖個坑。

同樣它也需要一個持久化服務接口OAuth2AuthorizationService并注入Spring IoC：

/**
?*?管理OAuth2授權信息服務
?*
?*?@param?jdbcTemplate???????????????the?jdbc?template
?*?@param?registeredClientRepository?the?registered?client?repository
?*?@return?the?o?auth?2?authorization?service
?*/
@Bean
public?OAuth2AuthorizationService?authorizationService(JdbcTemplate?jdbcTemplate,
???????????????????????????????????????????????????????RegisteredClientRepository?registeredClientRepository)?{
????return?new?JdbcOAuth2AuthorizationService(jdbcTemplate,?
????????????registeredClientRepository);
}

持久化到數(shù)據庫的OAuth2Authorization用JSON表示為：

??{
????"id":?"aa2f6e7d-d9b9-4360-91ef-118cbb6d4b09",
????"registered_client_id":?"658cd010-4d8c-4824-a8c7-a86b642299af",
????"principal_name":?"felord",
????"authorization_grant_type":?"authorization_code",
????"attributes":?"{\"@class\":\"java.util.Collections$UnmodifiableMap\",\"org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest\":{\"@class\":\"org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest\",\"authorizationUri\":\"http://localhost:9000/oauth2/authorize\",\"authorizationGrantType\":{\"value\":\"authorization_code\"},\"responseType\":{\"value\":\"code\"},\"clientId\":\"felord-client\",\"redirectUri\":\"http://127.0.0.1:8080/foo/bar\",\"scopes\":[\"java.util.Collections$UnmodifiableSet\",[\"message.read\",\"message.write\"]],\"state\":\"9gTcVNXgV8Pn_Ron3bkFb6M92AYCodeWKoEd6xxaiUg=\",\"additionalParameters\":{\"@class\":\"java.util.Collections$UnmodifiableMap\"},\"authorizationRequestUri\":\"http://localhost:9000/oauth2/authorize?response_type=code&client_id=felord-client&scope=message.read%20message.write&state=9gTcVNXgV8Pn_Ron3bkFb6M92AYCodeWKoEd6xxaiUg%3D&redirect_uri=http://127.0.0.1:8080/foo/bar\",\"attributes\":{\"@class\":\"java.util.Collections$UnmodifiableMap\"}},\"java.security.Principal\":{\"@class\":\"org.springframework.security.authentication.UsernamePasswordAuthenticationToken\",\"authorities\":[\"java.util.Collections$UnmodifiableRandomAccessList\",[{\"@class\":\"org.springframework.security.core.authority.SimpleGrantedAuthority\",\"authority\":\"ROLE_USER\"}]],\"details\":{\"@class\":\"org.springframework.security.web.authentication.WebAuthenticationDetails\",\"remoteAddress\":\"0:0:0:0:0:0:0:1\",\"sessionId\":\"FD624F1AD55A2418CC9815A86AA32696\"},\"authenticated\":true,\"principal\":{\"@class\":\"org.springframework.security.core.userdetails.User\",\"password\":null,\"username\":\"felord\",\"authorities\":[\"java.util.Collections$UnmodifiableSet\",[{\"@class\":\"org.springframework.security.core.authority.SimpleGrantedAuthority\",\"authority\":\"ROLE_USER\"}]],\"accountNonExpired\":true,\"accountNonLocked\":true,\"credentialsNonExpired\":true,\"enabled\":true},\"credentials\":null},\"org.springframework.security.oauth2.server.authorization.OAuth2Authorization.AUTHORIZED_SCOPE\":[\"java.util.Collections$UnmodifiableSet\",[\"message.read\",\"message.write\"]]}",
????"state":?null,
????"authorization_code_value":?"EZFxDcsKoaGtyqRTS0oNMg85EcVcyLdVssuD3SV-o0FvNXsSTRjTmCdu0ZPZnVIQ7K4TTSzrvLwBqoRXOigo_dWVNeqE44LjHHL_KtujM_Mxz8hLZgGhtfipvTdpWWR1",
????"authorization_code_issued_at":?"2021-11-11?18:44:45",
????"authorization_code_expires_at":?"2021-11-11?18:49:45",
????"authorization_code_metadata":?"{\"@class\":\"java.util.Collections$UnmodifiableMap\",\"metadata.token.invalidated\":true}",
????"access_token_value":?"eyJ4NXQjUzI1NiI6IlZGR1F4Q21nSEloX2dhRi13UGIxeEM5b0tBMXc1bGEwRUZtcXFQTXJxbXciLCJraWQiOiJmZWxvcmRjbiIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJmZWxvcmQiLCJhdWQiOiJmZWxvcmQtY2xpZW50IiwibmJmIjoxNjM2NjI3NDg0LCJzY29wZSI6WyJtZXNzYWdlLnJlYWQiLCJtZXNzYWdlLndyaXRlIl0sImlzcyI6Imh0dHA6XC9cL2xvY2FsaG9zdDo5MDAwIiwiZXhwIjoxNjM2NjI3Nzg0LCJpYXQiOjE2MzY2Mjc0ODR9.CFzye9oIh8-ZMpyp9XoIXIQLnj2Sn17yZ9bgn7NYAbrp2hRq-Io_Se2SJpSEMa_Ce44aOGmcLTmIOILYUxlU08QCtHgr4UfCZttzroQhEn3Qui7fixBMprPYqxmu2KL5G_l3q5EWyh4G0ilHpByCBDeBGAl7FpaxSDlelnBfNGs9q6nJCs7aC40U_YPBRLoCBLVK1Y8t8kQvNu8NqCkS5D5DZAogpmlVg7jSIPz1UXVIh7iDTTQ1wJl6rZ1E87E0UroX4eSuYfMQ351y65IUlB14hvKhu03yDLTiVKtujOo3m0DAkJTbk3ZkFZEmDf4N3Yn-ktU7cyswQWa1bKf3og",
????"access_token_issued_at":?"2021-11-11?18:44:45",
????"access_token_expires_at":?"2021-11-11?18:49:45",
????"access_token_metadata":?"{\"@class\":\"java.util.Collections$UnmodifiableMap\",\"metadata.token.claims\":{\"@class\":\"java.util.Collections$UnmodifiableMap\",\"sub\":\"felord\",\"aud\":[\"java.util.Collections$SingletonList\",[\"felord-client\"]],\"nbf\":[\"java.time.Instant\",1636627484.674000000],\"scope\":[\"java.util.Collections$UnmodifiableSet\",[\"message.read\",\"message.write\"]],\"iss\":[\"java.net.URL\",\"http://localhost:9000\"],\"exp\":[\"java.time.Instant\",1636627784.674000000],\"iat\":[\"java.time.Instant\",1636627484.674000000]},\"metadata.token.invalidated\":false}",
????"access_token_type":?"Bearer",
????"access_token_scopes":?"message.read,message.write",
????"oidc_id_token_value":?null,
????"oidc_id_token_issued_at":?null,
????"oidc_id_token_expires_at":?null,
????"oidc_id_token_metadata":?null,
????"refresh_token_value":?"hbD9dVMpu855FhDDOYapwsQSx8zO9iPX5LUZKeXWzUcbE2rgYRV-sgXl5vGwyByLNljcqVyK9Pgquzbcoe6dkt0_yPQPJfxLY8ezEQ-QREBjxNYqecd6OI9SHMQkBObG",
????"refresh_token_issued_at":?"2021-11-11?18:44:45",
????"refresh_token_expires_at":?"2021-11-11?19:44:45",
????"refresh_token_metadata":?"{\"@class\":\"java.util.Collections$UnmodifiableMap\",\"metadata.token.invalidated\":false}"
??}

?

存儲的東西還是比較全的，甚至把Java類都序列化了。

確認授權持久化

資源擁有者（Resource Owner）對授權的確認信息OAuth2AuthorizationConsent的持久化，這個比較簡單。下面是定義腳本:

CREATE?TABLE?oauth2_authorization_consent
(
????registered_client_id?varchar(100)??NOT?NULL,
????principal_name???????varchar(200)??NOT?NULL,
????authorities??????????varchar(1000)?NOT?NULL,
????PRIMARY?KEY?(registered_client_id,?principal_name)
);

對應的持久化服務接口為OAuth2AuthorizationConsentService，也要注入Spring IoC:

@Bean
public?OAuth2AuthorizationConsentService?authorizationConsentService(JdbcTemplate?jdbcTemplate,?
?????????????????????????????????????????????????????????????????????RegisteredClientRepository?registeredClientRepository)?{
????return?new?JdbcOAuth2AuthorizationConsentService(jdbcTemplate,?registeredClientRepository);
}

持久化到數(shù)據庫的OAuth2AuthorizationConsent用JSON表示為：

??{
????"registered_client_id":?"658cd010-4d8c-4824-a8c7-a86b642299af",
????"principal_name":?"felord",
????"authorities":?"SCOPE_message.read,SCOPE_message.write"
??}

JWK

JWK全稱JSON Web Key，是一個將加密的密鑰用JSON對象描述的規(guī)范，和JWT一樣是JOSE規(guī)范的重要組成部分。規(guī)范的詳細定義可參考JWK文檔。JWK參考示例：

{
????"keys":?[
????????{
????????????"kty":?"RSA",
????????????"x5t#S256":?"VFGQxCmgHIh_gaF-wPb1xC9oKA1w5la0EFmqqPMrqmw",
????????????"e":?"AQAB",
????????????"kid":?"felordcn",
????????????"x5c":?[
"MIIDczCCAlugAwIBAgIEURwmYzANBgkqhkiG9w0BAQsFADBqMQ0wCwYDVQQGEwQoY24pMQ0wCwYDVQQIEwQoaG4pMQ0wCwYDVQQHEwQoenopMRMwEQYDVQQKEwooZmVsb3JkY24pMRMwEQYDVQQLEwooZmVsb3JkY24pMREwDwYDVQQDEwgoRmVsb3JkKTAeFw0yMTEwMTgwNDUwMTRaFw0yMjEwMTgwNDUwMTRaMGoxDTALBgNVBAYTBChjbikxDTALBgNVBAgTBChobikxDTALBgNVBAcTBCh6eikxEzARBgNVBAoTCihmZWxvcmRjbikxEzARBgNVBAsTCihmZWxvcmRjbikxETAPBgNVBAMTCChGZWxvcmQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAgo0TPk1td7iROmmLcGbOsZ2F68kTertDwRyk+leqBl+qyJAkjoVgVaCRRQHZmvu/YGp93vOaEd/zFdVj/rFvMXmwBxgYPOeSG0bHkYtFBaUiLf1vhW5lyiPHcGide3uw1p+il3JNiOpcnLCbAKZgzm4qaugeuOD02/M0YcMW2Jqg3SUWpC+9vu9yt5dVc1xpmpwEAamKzvynI3Zxl44ddlA8RRAS6kV0OUcKbEG63G3yZ4MHnhrFrZDuvlwfSSgn0wFOC/b6mJ+bUxByMAXKD0d4DS2B2mVl7RO5AzL4SFcqtZZE3Drtcli67bsENyOQeoTVaKO6gu5PEEFlQ7pHKwIDAQABoyEwHzAdBgNVHQ4EFgQUqbLZ76DtdEEpTZUcgP7LsdGk8/AwDQYJKoZIhvcNAQELBQADggEBAEzfhi6/B00NxSPKAYJea/0MIyHr4X8Ue6Du+xl2q0UFzSkyIiMcPNmOYW5L1PWGjxR5IIiUgxKI5bEvhLkHhkMV+GRQSPKJXeC3szHdoZ3fXDZnuC0I88a1YDsvzuVhyjLL/n5lETRT4QWo5LsAj5v7AX+p46HM0iqSyTptafm2wheEosFA3ro4+vEDRaMrKLY1KdJuvvrrQIRpplhB/JbncmjWrEEvICSLEXm+kdGFgWNXkNxF0PhTLyPu3tEb2xLmjFltALwi3KPUGv9zVjxb7KyYiMnVsOPnwpDLOyREM9j4RLDiwf0tsCqPqltVExvFZouoL26fhcozfcrqC70="
????????????],
????????????"n":?"go0TPk1td7iROmmLcGbOsZ2F68kTertDwRyk-leqBl-qyJAkjoVgVaCRRQHZmvu_YGp93vOaEd_zFdVj_rFvMXmwBxgYPOeSG0bHkYtFBaUiLf1vhW5lyiPHcGide3uw1p-il3JNiOpcnLCbAKZgzm4qaugeuOD02_M0YcMW2Jqg3SUWpC-9vu9yt5dVc1xpmpwEAamKzvynI3Zxl44ddlA8RRAS6kV0OUcKbEG63G3yZ4MHnhrFrZDuvlwfSSgn0wFOC_b6mJ-bUxByMAXKD0d4DS2B2mVl7RO5AzL4SFcqtZZE3Drtcli67bsENyOQeoTVaKO6gu5PEEFlQ7pHKw"
????????}
????]
}

?

JWK的意義在于生成JWT和提供JWK端點給OAuth2.0資源服務器解碼校驗JWT。

公私鑰

JWK會涉及到加密算法，這里使用RSASHA256算法來作為加密算法，并通過Keytool工具來生成.jks公私鑰證書文件。當然你也可以通過openssl來生成pkcs12格式的證書。在Spring Security實戰(zhàn)干貨中已經對生成的方法進行了說明，這里不再贅述。

JWKSource

由于Spring Security的JOSE實現(xiàn)依賴的是nimbus-jose-jwt，所以這里只需要我們實現(xiàn)JWKSource 并注入Spring IoC即可。相關代碼如下：

????/**
?????*?加載JWK資源
?????*
?????*?@return?the?jwk?source
?????*/
????@SneakyThrows
????@Bean
????public?JWKSource?jwkSource()?{
????????//TODO?這里優(yōu)化到配置
????????//?證書的路徑
????????String?path?=?"felordcn.jks";
????????//?證書別名
????????String?alias?=?"felordcn";
????????//?keystore?密碼
????????String?pass?=?"123456";

????????ClassPathResource?resource?=?new?ClassPathResource(path);
????????KeyStore?jks?=?KeyStore.getInstance("jks");
//????????KeyStore?pkcs12?=?KeyStore.getInstance("pkcs12");
????????char[]?pin?=?pass.toCharArray();
????????jks.load(resource.getInputStream(),?pin);
????????RSAKey?rsaKey?=?RSAKey.load(jks,?alias,?pin);

????????JWKSet?jwkSet?=?new?JWKSet(rsaKey);
????????return?(jwkSelector,?securityContext)?->?jwkSelector.select(jwkSet);
????}

授權服務器元信息配置

客戶端信息RegisteredClient包含了Token的配置項TokenSettings和客戶端配置項ClientSettings。授權服務器本身也提供了一個配置工具來配置其元信息，大多數(shù)我們都使用默認配置即可，唯一需要配置的其實只有授權服務器的地址issuer，在DEMO中雖然我使用localhost:9000了issuer沒有什么問題，但是在生產中這個地方應該配置為域名。

????/**
?????*?配置?OAuth2.0?provider元信息
?????*
?????*?@return?the?provider?settings
?????*/
????@Bean
????public?ProviderSettings?providerSettings(@Value("${server.port}")?Integer?port)?{
????????//TODO?生產應該使用域名
????????return?ProviderSettings.builder().issuer("http://localhost:"?+?port).build();
????}

?

你可以修改本地的hosts文件試試用域名。

到這里Spring Authorization Server的配置就完成了，但是整個授權服務器的配置還沒有完成。

授權服務器安全配置

上面是授權服務器本身的配置，授權服務器本身的安全配置是另外一條過濾器鏈承擔的，我們也要對它進行一些配置，都是常規(guī)的Spring Security配置，這里給一個簡單的配置，也是DEMO中的配置：

@EnableWebSecurity(debug?=?true)
public?class?DefaultSecurityConfig?{

????//?@formatter:off
????@Bean
????SecurityFilterChain?defaultSecurityFilterChain(HttpSecurity?http)?throws?Exception?{
????????http.authorizeRequests(authorizeRequests?->
????????????????????????authorizeRequests.anyRequest().authenticated()
????????????????)
????????????????.formLogin();
????????return?http.build();
????}
????//?@formatter:on

????/**
?????*?在內存中抽象一個Spring?Security安全用戶{@link?User}，同時該用戶也是Resource?Owner;
?????*?實際開發(fā)中需要持久化到數(shù)據庫。
?????*
?????*?@return?the?user?details?service
?????*/
//?@formatter:off
????@Bean
????UserDetailsService?users()?{
????????UserDetails?user?=?User.builder()
????????????????.username("felord")
????????????????.password("password")
????????????????.passwordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder()::encode)
????????????????.roles("USER")
????????????????.build();
????????return?new?InMemoryUserDetailsManager(user);
????}
????//?@formatter:on


????/**
?????*?開放一些端點的訪問控制。
?????*
?????*?如果你使用了一些依賴這些端點的程序，比如Consul健康檢查；
?????*?打開H2數(shù)據庫web控制臺訪問控制，方便你查看數(shù)據具體看配置文件說明。
?????*
?????*?@return?the?web?security?customizer
?????*/
????@Bean
????WebSecurityCustomizer?webSecurityCustomizer()?{
????????return?web?->?web.ignoring().antMatchers("/actuator/health","/h2-console/**");
????}
}

到這里一個基于Spring Authorization Server的授權服務器就搭建好了。下一篇我們將實現(xiàn)OAuth2.0的登錄功能，敬請期待。

解惑

?

為什么一個項目配置了兩個甚至多個SecurityFilterChain?

之所以有兩個SecurityFilterChain是因為程序設計要保證職責單一，無論是底層架構還是業(yè)務代碼，為此HttpSecurity被以基于原型（prototype）的Spring Bean注入Spring IoC。針對本應用中的兩條過濾器鏈，分別是授權服務器的過濾器鏈和應用安全的過濾器鏈，它們之間其實互相沒有太多聯(lián)系。

推薦閱讀

授權服務框架Spring Authorization Server的過濾器鏈

2021-11-14

全新的Spring Authorization Server快速入門

2021-11-12

推薦關注本文作者：碼農小胖哥

分享高質量編程知識，探討IT人生