序
本文主要简单介绍一下spring security oauth2的client_credentials模式
maven
org.springframework.security.oauth spring-security-oauth2 org.springframework.boot spring-boot-starter-security 复制代码 org.springframework.boot spring-boot-starter-web
auth server config
@Configuration@EnableAuthorizationServer //提供/oauth/authorize,/oauth/token,/oauth/check_token,/oauth/confirm_access,/oauth/errorpublic class OAuth2ServerConfig extends AuthorizationServerConfigurerAdapter { @Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer .tokenKeyAccess("permitAll()") .checkTokenAccess("isAuthenticated()") //allow check token .allowFormAuthenticationForClients(); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("demoApp") .secret("demoAppSecret") .authorizedGrantTypes("client_credentials", "password", "refresh_token") .scopes("all") .resourceIds("oauth2-resource") .accessTokenValiditySeconds(1200) .refreshTokenValiditySeconds(50000); }}复制代码 resource server config
@Configuration@EnableResourceServerpublic class ResourceServerConfig extends ResourceServerConfigurerAdapter {}复制代码 demo controller
@RestController@RequestMapping("/api")public class DemoController { @GetMapping("/blog/{id}") public String getBlogById(@PathVariable long id) { return "this is blog "+id; }}复制代码 验证
没有token请求资源
curl -i -H "Accept: application/json" -X GET http://localhost:8080/api/blog/1复制代码
返回
HTTP/1.1 401X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockCache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: 0X-Frame-Options: DENYCache-Control: no-storePragma: no-cacheWWW-Authenticate: Bearer realm="oauth2-resource", error="unauthorized", error_description="Full authentication is required to access this resource"Content-Type: application/json;charset=UTF-8Transfer-Encoding: chunkedDate: Sat, 02 Dec 2017 14:31:51 GMT{ "error":"unauthorized","error_description":"Full authentication is required to access this resource"}复制代码 client_credentials请求授权
curl -H "Accept: application/json" demoApp:demoAppSecret@localhost:8080/oauth/token -d grant_type=client_credentials复制代码
或者
curl -H "Accept: application/json" http://localhost:8080/oauth/token -d "grant_type=client_credentials&client_id=demoApp&client_secret=demoAppSecret"复制代码
返回
{ "access_token":"6d0ee2b2-c803-49bf-a813-a25bfb59a976","token_type":"bearer","expires_in":1199,"scope":"all"}复制代码 携带token请求资源
curl -i -H "Accept: application/json" -H "Authorization: Bearer 6d0ee2b2-c803-49bf-a813-a25bfb59a976" -X GET http://localhost:8080/api/blog/1复制代码
或者
curl -i -X GET http://localhost:8080/api/blog/1?access_token=fe8bcab3-1d33-4ef1-b1d0-bd142a480af2复制代码
不过这种把token暴露在url中不是太安全
返回
HTTP/1.1 200X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockCache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: 0X-Frame-Options: DENYX-Application-Context: applicationContent-Type: application/json;charset=UTF-8Content-Length: 14Date: Sat, 02 Dec 2017 14:31:09 GMTthis is blog 1复制代码
check token
curl -i -X POST -H "Accept: application/json" -u "demoApp:demoAppSecret" http://localhost:8080/oauth/check_token?token=3d47e053-de16-4e6f-8ec7-f9247f425a8e复制代码
返回
HTTP/1.1 403X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockCache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: 0X-Frame-Options: DENYContent-Type: application/json;charset=UTF-8Transfer-Encoding: chunkedDate: Sat, 02 Dec 2017 14:50:32 GMT{ "timestamp":1512226232386,"status":403,"error":"Forbidden","message":"Access is denied","path":"/oauth/check_token"}复制代码 需要配置
@Override public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception { oauthServer .tokenKeyAccess("permitAll()") .checkTokenAccess("isAuthenticated()") //allow check token .allowFormAuthenticationForClients(); }复制代码 成功返回
HTTP/1.1 200X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockCache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: 0X-Frame-Options: DENYX-Application-Context: applicationContent-Type: application/json;charset=UTF-8Transfer-Encoding: chunkedDate: Sat, 02 Dec 2017 14:48:33 GMT{ "aud":["oauth2-resource"],"scope":["read"],"exp":1512227200,"client_id":"demoApp"}复制代码 token非法
HTTP/1.1 400X-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockCache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: 0X-Frame-Options: DENYX-Application-Context: applicationCache-Control: no-storePragma: no-cacheContent-Type: application/json;charset=UTF-8Transfer-Encoding: chunkedDate: Sat, 02 Dec 2017 14:51:33 GMTConnection: close{ "error":"invalid_token","error_description":"Token was not recognised"}复制代码