Spring security real combat dry goods: how to build and execute oauth2 authorization request

stay Spring Security Combat dry goods ： client OAuth2 Access to authorization requests We found the interceptor OAuth2 Authorization request entry /oauth2/authorization Filter OAuth2AuthorizationRequestRedirectFilter, And found the real launch OAuth2 How to authorize a request sendRedirectForAuthorization. But this method does not elaborate , So today I'll go on to the last article to fill in this hole .

2. sendRedirectForAuthorization

This sendRedirectForAuthorization Methods don't have much code , Its main function is to authorize redirection access to the third-party platform . All its logic is related to OAuth2AuthorizationRequest of , So we are OAuth2AuthorizationRequest It doesn't work to understate , We have to master OAuth2AuthorizationRequest How did you get it , What is it for .

OAuth2AuthorizationRequestResolver

This requires parsing classes OAuth2AuthorizationRequestResolver, Its core approach has two overloads , It's enough to analyze one here .

@Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
// registrationId It's through uri Path parameter /oauth2/authorization/{registrationId} To obtain the
String registrationId = this.resolveRegistrationId(request);
// And then ask for the object request Extract from key by action Parameters of , The default value is login
String redirectUriAction = getAction(request, "login");
// And then we go to the fundamental parsing method
return resolve(request, registrationId, redirectUriAction);
}

In the above method resolve(request, registrationId, redirectUriAction) It's the method that ultimately comes from /oauth2/authorization extract OAuth2AuthorizationRequest The fundamental method of . There's too much code, but I try to make it easy to understand .resolve Methods will be based on different authorization methods (AuthorizationGrantType) To assemble different OAuth2AuthorizationRequest.

3. OAuth2AuthorizationRequest

The next step is OAuth2.0 At the heart of the agreement , Maybe your customized reference will come from here in the future , It's about knowledge . I will be right. OAuth2AuthorizationRequestResolver Under all kinds of authorization OAuth2AuthorizationRequest Object analysis for a complete summary . It is roughly divided into the following two parts ：

3.1 from AuthorizationGrantType Decisive

In different AuthorizationGrantType Next pair OAuth2AuthorizationRequest The carding of . The member variables involved are ：

authorizationGrantType , From configuration spring.security.client.registration.{registrationId}.authorizationGrantType.
responseType , from authorizationGrantType Value determination of , Refer to the following JSON.
additionalParameters, When authorizationGrantType The value is authorization_code Some additional parameters are required , Refer to the following JSON .
attributes, Different authorizationGrantType There are different attributes .

It's similar to {registrationId} Formal representation of {registrationId} It's a variable , for example registrationId=gitee.

stay OAuth2 Client configuration spring.security.client.registration.{registrationId} There are five situations in the prefix of .

When scope It doesn't contain openid and client-authentication-method Not for none The four parameters mentioned above ：

{
"authorizationGrantType": "authorization_code",
"responseType": "code",
"additionalParameters": {},
"attributes": {
"registration_id": "{registrationId}"
}
}

When scope contain openid and client-authentication-method Not for none The four parameters mentioned above ：

{
"authorizationGrantType": "authorization_code",
"responseType": "code",
"additionalParameters": {
"nonce": "{nonce} Of Hash value "
},
"attributes": {
"registration_id": "{registrationId}",
"nonce": "{nonce}"
}
}

When scope It doesn't contain openid and client-authentication-method by none The four parameters mentioned above ：

{
"authorizationGrantType": "authorization_code",
"responseType": "code",
"additionalParameters": {
"code_challenge": "{codeVerifier} Of Hash value ",
// code_challenge_method When it's not SHA256 Maybe not key
"code_challenge_method": "S256（ If it is SHA256 Algorithmic words ）"
},
"attributes": {
"registration_id": "{registrationId}",
"code_verifier": "Base64 Generated security {codeVerifier}"
}
}

When scope contain openid and client-authentication-method by none The four parameters mentioned above ：

{
"authorizationGrantType": "authorization_code",
"responseType": "code",
"additionalParameters": {
"code_challenge": "{codeVerifier} Of Hash value ",
// code_challenge_method When it's not SHA256 Maybe not key
"code_challenge_method": "S256（ If it is SHA256 Algorithmic words ）",
"nonce": "{nonce} Of Hash value "
},
"attributes": {
"registration_id": "{registrationId}",
"code_verifier": "Base64 Generated security {codeVerifier}",
"nonce": "{nonce}"
}
}

implicit It's much simpler ：

{
"authorizationGrantType": "implicit",
"responseType": "token",
"attributes": {}
}

3.2 Fixed rules part

It's all kinds of different AuthorizationGrantType Under the OAuth2AuthorizationRequest Personalized value strategy of member variables of , There are also several parameters whose rules are fixed ：

clientId From configuration , It's the only identity given to us by the third party platform .
authorizationUri From configuration , Used to construct requests to third parties URL.
scopes From configuration , It's the scope that the third-party platform authorized us to delimit , It can be understood as a role .
state Automatically generated , In order to prevent csrf attack .
authorizationRequestUri Initiating authorization request to a third-party platform , You can go directly through OAuth2AuthorizationRequest To set or use the build class above authorizationUri And so on , We will analyze the structural mechanism later .
redirectUri When OAuth2AuthorizationRequest After being received by a third party platform , Third party platforms will call back this URI To respond to authorization requests , The mechanism will be analyzed later .

authorizationRequestUri The construction mechanism of

If you don't explicitly provide authorizationRequestUri Would pass OAuth2AuthorizationRequest Medium

responseType
clientId
scopes
state
redirectUri
additionalParameters
According to the following rules to splice into authorizationUri Parameter string of , Parameter string key and value To carry out URI code .

authorizationUri?response_type={responseType.getValue()}&client_id={clientId}&scope={scopes Element one character space }&state={state}&redirect_uri={redirectUri}&{additionalParameter Expand to do the same thing KV Parameter string }

then OAuth2AuthorizationRequestRedirectFilter Responsible for redirecting to authorizationRequestUri Request authorization from a third party .

redirectUri

When a third party receives a response, it calls redirectUri, Callback also has some default rules , It follows {baseUrl}/{action}/oauth2/code/{registrationId} The path parameter rule of .

baseUrl It's from us /oauth2/authorization The underlying request path extracted from the request .
action, There are two default values login、authorize , When /oauth2/authorization The request contains action Parameters are based on action Fill in the value of .
registrationId I don't have to say much about that .

4. summary

Through to OAuth2AuthorizationRequest The rules of the request object are analyzed in detail , We should be able to roughly know the filter OAuth2AuthorizationRequestRedirectFilter technological process ：

Build through client configuration ClientRegistration, It can be persisted later .
Intercept /oauth2/authorization Request and construct OAuth2AuthorizationRequest, And then redirect to authorizationRequestUri To request authorization .
Third party adoption redirect_uri Corresponding .

that Spring Security OAuth2 How to deal with the callback of the third party ？ Focus on ： Small fat man of minong For you to find out the answer .

Official account ：Felordcn Get more information

Personal blog ：https://felord.cn