1. 背景
近期由于新建的项目,因为涉及到前后端分离以及单点登录,综合考虑,决定采用 SpringSecurity + Oauth2.0 ,我也正好趁此机会学习下此类知识,回想起最近一次学习安全框架还是 Shiro。 SSO 基础就不说了,敢兴趣的可以自行百度或者谷歌。
因为 SpringSecurity 本身提供了 GOOGLE GITHUB FACEBOOK OKTA 的 OAuth2.0 接入支持,具体源码都在枚举类CommonOAuth2Provider 中。
public enum CommonOAuth2Provider {
GOOGLE {
public ClientRegistration.Builder getBuilder(String registrationId) {
ClientRegistration.Builder builder = this.getBuilder(registrationId, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, "{baseUrl}/{action}/oauth2/code/{registrationId}");
builder.scope(new String[]{"openid", "profile", "email"});
builder.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth");
builder.tokenUri("https://www.googleapis.com/oauth2/v4/token");
builder.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs");
builder.issuerUri("https://accounts.google.com");
builder.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo");
builder.userNameAttributeName("sub");
builder.clientName("Google");
return builder;
}
},
GITHUB {
public ClientRegistration.Builder getBuilder(String registrationId) {
ClientRegistration.Builder builder = this.getBuilder(registrationId, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, "{baseUrl}/{action}/oauth2/code/{registrationId}");
builder.scope(new String[]{"read:user"});
builder.authorizationUri("https://github.com/login/oauth/authorize");
builder.tokenUri("https://github.com/login/oauth/access_token");
builder.userInfoUri("https://api.github.com/user");
builder.userNameAttributeName("id");
builder.clientName("GitHub");
return builder;
}
},
FACEBOOK {
public ClientRegistration.Builder getBuilder(String registrationId) {
ClientRegistration.Builder builder = this.getBuilder(registrationId, ClientAuthenticationMethod.CLIENT_SECRET_POST, "{baseUrl}/{action}/oauth2/code/{registrationId}");
builder.scope(new String[]{"public_profile", "email"});
builder.authorizationUri("https://www.facebook.com/v2.8/dialog/oauth");
builder.tokenUri("https://graph.facebook.com/v2.8/oauth/access_token");
builder.userInfoUri("https://graph.facebook.com/me?fields=id,name,email");
builder.userNameAttributeName("id");
builder.clientName("Facebook");
return builder;
}
},
OKTA {
public ClientRegistration.Builder getBuilder(String registrationId) {
ClientRegistration.Builder builder = this.getBuilder(registrationId, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, "{baseUrl}/{action}/oauth2/code/{registrationId}");
builder.scope(new String[]{"openid", "profile", "email"});
builder.userNameAttributeName("sub");
builder.clientName("Okta");
return builder;
}
};
这里仅对 Github 单点登录作为样例,作此说明,都是在 Windows 中的开发环境。
2. Client注册登记
- 注册:在
Github中注册一个Client应用,界面生成client-id和client-secret。
注册地址:https://github.com/settings/applications/new
- Homepage URL:首页 https://localhost:9006
- Authorization callback URL:授权回调地址 https://localhost:9006/login/oauth2/code/github
注册,比较简单,自行。
3. SSL证书
演示环境下必须是 HTTPS 类型,否则会不成功。详细配置参考[[Java生成SSL证书]]
如果不安装证书,会有如下情况。
4. IDEA配置
4.1. pom
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
</dependencies>
4.2. yml
server:
ssl:
key-store: https.keystore
key-store-password: 123456
key-alias: tomcat
port: 9006
spring:
security:
oauth2:
client:
registration:
github:
#对应Github账号配置的Client ID
client-id: 08bc4fb36fxx580a57c1
#对应Github账号配置的Client secrets
client-secret: df677b978decxefab1c95d4e28288b86913c323
5. 验证Github信息
输入 Github 的账号、密码,会进入我们之前配置的 Home 页
5.1. Home主页
5.2. 查看注册信息
5.3. 查看Token
5.4. 查看用户信息
