Spring Security的OAuth2 Client功能核心源码分析

前一个章节我们充分地对Spring Security OAuth2 Client功能进行了扩展开发，从而支持了QQ登录，并同时实现了多个OAuth服务商共存的效果。要想弄明白这些扩展方式背后的原理以及官方的封装思路，就需要对Spring Security的OAuth2 Client部分源码有一定的了解。

当Spring Boot 2.0工程引入Spring Security关于OAuth2 Client的依赖包时，Spring Boot的自动配置策略会在Spring Security的过滤链中插入专门用于处理OAuth2 Client逻辑的过滤器，具体的自动配置逻辑可以参考 org.springframework.boot.autoconfigure.security包下的自动配置类。

当@EnableWebSecurity(debug = true)的debug属性被设置为true时，控制台日志将打印每一条url所经过的过滤器链:

Security filter chain: [
  WebAsyncManagerIntegrationFilter
  SecurityContextPersistenceFilter
  HeaderWriterFilter
  CsrfFilter
  LogoutFilter
  OAuth2AuthorizationRequestRedirectFilter
  OAuth2LoginAuthenticationFilter
  DefaultLoginPageGeneratingFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  FilterSecurityInterceptor
]

OAuth2客户端认证流程涉及三个特有的核心过滤器：

• OAuth2AuthorizationRequestRedirectFilter，通过重定向到authorization-uri端口地址来启动授权码（或隐式授权码）模式流程，获取code。
• DefaultLoginPageGeneratingFilter，用于生成默认登录页面。
• OAuth2LoginAuthenticationFilter，核心的OAuth2登录过滤器，首先从url中提取到code，接着使用code获取access_token，借助access_token便可以进一步获取到用户信息，最终构建出OAuth2AuthenticationToken认证对象，表明认证成功。

这三个过滤器是实现OAuth2客户端流程（flow）的核心逻辑入口。

OAuth2AuthorizationRequestRedirectFilter

核心处理逻辑在doFilterInternal方法中：

@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
        throws ServletException, IOException {
    // 如果是发起授权码模式的请求
    if (this.shouldRequestAuthorization(request, response)) {
        try {
            //重定向请求OAuth2服务提供商提供的获取code的接口
            this.sendRedirectForAuthorization(request, response);
        } catch (Exception failed) {
            this.unsuccessfulRedirectForAuthorization(request, response, failed);
        }
        return;
    }

    filterChain.doFilter(request, response);
}

其中sendRedirectForAuthorization方法是发送请求的具体逻辑:

private void sendRedirectForAuthorization(HttpServletRequest request, HttpServletResponse response)
        throws IOException, ServletException {

    ...
    if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationRequest.getGrantType())) {
        this.authorizationRequestRepository.saveAuthorizationRequest(authorizationRequest, request, response);
    }
    ...
}

OAuth2AuthorizationRequest对象表示OAuth2的授权请求，OAuth2AuthorizationRequestRedirectFilter把授权请求先缓存在authorizationRequestRepository中，并重定向到authorization-uri，之后的逻辑便转交给了下一个过滤器OAuth2LoginAuthenticationFilter。

OAuth2LoginAuthenticationFilter

从接收code到构建OAuth2AuthenticationToken对象，OAuth2LoginAuthenticationFilter过滤器承载了最核心的OAuth客户端认证逻辑，我们主要关注的是其中的attemptAuthentication方法：

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
        throws AuthenticationException, IOException, ServletException {
    // 如果url路径没有中有code和state参数或者有error参数，说明获取code失败，直接抛出异常
    if (!this.authorizationResponseSuccess(request) && !this.authorizationResponseError(request)) {
        OAuth2Error oauth2Error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
        throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
    }
    // 从authorizationRequestRepository取出在OAuth2AuthorizationRequestRedirectFilter存入的OAuth2AuthorizationRequest对象
    OAuth2AuthorizationRequest authorizationRequest = this.authorizationRequestRepository.loadAuthorizationRequest(request);
    if (authorizationRequest == null) {
        OAuth2Error oauth2Error = new OAuth2Error(AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE);
        throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
    }
    this.authorizationRequestRepository.removeAuthorizationRequest(request);

    String registrationId = (String) authorizationRequest.getAdditionalParameters().get(OAuth2ParameterNames.REGISTRATION_ID);
    ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId(registrationId);
    if (clientRegistration == null) {
        OAuth2Error oauth2Error = new OAuth2Error(CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE,
                "Client Registration not found with Id: " + registrationId, null);
        throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
    }
    // 正式获取code
    OAuth2AuthorizationResponse authorizationResponse = this.convert(request);

    // 构建请求access_token的请求对象
    OAuth2LoginAuthenticationToken authenticationRequest = new OAuth2LoginAuthenticationToken(
            clientRegistration, new OAuth2AuthorizationExchange(authorizationRequest, authorizationResponse));
    authenticationRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));

    // 具体逻辑实现代码，通过code获取access_token，通过access_token获取用户信息，构建OAuth2LoginAuthenticationToken认证对象
    OAuth2LoginAuthenticationToken authenticationResult =
        (OAuth2LoginAuthenticationToken) this.getAuthenticationManager().authenticate(authenticationRequest);

    // 将OAuth2LoginAuthenticationToken转化为OAuth2AuthenticationToken认证对象，融入Spring Security上下文逻辑
    OAuth2AuthenticationToken oauth2Authentication = new OAuth2AuthenticationToken(
        authenticationResult.getPrincipal(),
        authenticationResult.getAuthorities(),
        authenticationResult.getClientRegistration().getRegistrationId());

    OAuth2AuthorizedClient authorizedClient = new OAuth2AuthorizedClient(
        authenticationResult.getClientRegistration(),
        oauth2Authentication.getName(),
        authenticationResult.getAccessToken());

    this.authorizedClientService.saveAuthorizedClient(authorizedClient, oauth2Authentication);

    return oauth2Authentication;
}

代码流程本身很清晰，但需要注意的是，使用code交换access_token以及通过access_token获取用户信息的逻辑并不在此处实现，在代码中可以看得出来：

OAuth2LoginAuthenticationToken authenticationResult = (OAuth2LoginAuthenticationToken) this.getAuthenticationManager().authenticate(authenticationRequest);

getAuthenticationManager()获取到的就是我们所熟悉的Spring Security认证管理器，它通过适配器模式调用多个Provider对象进行认证，其中也包含了OAuth2认证逻辑所对应的Provider：OAuth2LoginAuthenticationProvider。

DefaultLoginPageGeneratingFilter

当我们没有配置自定义的登录页时，自动配置机制会将DefaultLoginPageGeneratingFilter插入到Spring Security过滤器链中，并在合适的时机为我们生成一个默认的登录视图：

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;

        boolean loginError = isErrorPage(request);
        boolean logoutSuccess = isLogoutSuccess(request);
        if (isLoginUrlRequest(request) || loginError || logoutSuccess) {
            String loginPageHtml = generateLoginPageHtml(request, loginError,
                    logoutSuccess);
            response.setContentType("text/html;charset=UTF-8");
            response.setContentLength(loginPageHtml.getBytes(StandardCharsets.UTF_8).length);
            response.getWriter().write(loginPageHtml);

            return;
        }

        chain.doFilter(request, response);
    }

OAuth2LoginAuthenticationProvider

OAuth2LoginAuthenticationProvider主要实现了通过code交换access_token以及通过access_token获取用户信息两个核心逻辑，主要代码在authenticate方法中：

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    OAuth2LoginAuthenticationToken authorizationCodeAuthentication =
        (OAuth2LoginAuthenticationToken) authentication;

    ...

    // 验证获取到的授权码是否合法
    OAuth2AuthorizationRequest authorizationRequest = authorizationCodeAuthentication
        .getAuthorizationExchange().getAuthorizationRequest();
    OAuth2AuthorizationResponse authorizationResponse = authorizationCodeAuthentication
        .getAuthorizationExchange().getAuthorizationResponse();

    if (authorizationResponse.statusError()) {
        throw new OAuth2AuthenticationException(
            authorizationResponse.getError(), authorizationResponse.getError().toString());
    }

    if (!authorizationResponse.getState().equals(authorizationRequest.getState())) {
        OAuth2Error oauth2Error = new OAuth2Error(INVALID_STATE_PARAMETER_ERROR_CODE);
        throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
    }

    if (!authorizationResponse.getRedirectUri().equals(authorizationRequest.getRedirectUri())) {
        OAuth2Error oauth2Error = new OAuth2Error(INVALID_REDIRECT_URI_PARAMETER_ERROR_CODE);
        throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
    }

    // 如果授权码合法，则请求access_token
    OAuth2AccessTokenResponse accessTokenResponse =
        this.accessTokenResponseClient.getTokenResponse(
            new OAuth2AuthorizationCodeGrantRequest(
                authorizationCodeAuthentication.getClientRegistration(),
                authorizationCodeAuthentication.getAuthorizationExchange()));

    OAuth2AccessToken accessToken = accessTokenResponse.getAccessToken();

    // 通过accesss_token请求用户信息
    OAuth2User oauth2User = this.userService.loadUser(
        new OAuth2UserRequest(authorizationCodeAuthentication.getClientRegistration(), accessToken));
    ...
}