stay Spring Security Combat dry goods : client OAuth2 Access to authorization requests We found the interceptor OAuth2 Authorization request entry /oauth2/authorization
Filter OAuth2AuthorizationRequestRedirectFilter
, And found the real launch OAuth2 How to authorize a request sendRedirectForAuthorization
. But this method does not elaborate , So today I'll go on to the last article to fill in this hole .
2. sendRedirectForAuthorization
This sendRedirectForAuthorization
Methods don't have much code , Its main function is to authorize redirection access to the third-party platform . All its logic is related to OAuth2AuthorizationRequest
of , So we are OAuth2AuthorizationRequest
It doesn't work to understate , We have to master OAuth2AuthorizationRequest
How did you get it , What is it for .
OAuth2AuthorizationRequestResolver
This requires parsing classes OAuth2AuthorizationRequestResolver
, Its core approach has two overloads , It's enough to analyze one here .
@Override
public OAuth2AuthorizationRequest resolve(HttpServletRequest request) {
// registrationId It's through uri Path parameter /oauth2/authorization/{registrationId} To obtain the
String registrationId = this.resolveRegistrationId(request);
// And then ask for the object request Extract from key by action Parameters of , The default value is login
String redirectUriAction = getAction(request, "login");
// And then we go to the fundamental parsing method
return resolve(request, registrationId, redirectUriAction);
}
In the above method resolve(request, registrationId, redirectUriAction)
It's the method that ultimately comes from /oauth2/authorization
extract OAuth2AuthorizationRequest
The fundamental method of . There's too much code, but I try to make it easy to understand .resolve
Methods will be based on different authorization methods (AuthorizationGrantType
) To assemble different OAuth2AuthorizationRequest
.
3. OAuth2AuthorizationRequest
The next step is OAuth2.0 At the heart of the agreement , Maybe your customized reference will come from here in the future , It's about knowledge . I will be right. OAuth2AuthorizationRequestResolver
Under all kinds of authorization OAuth2AuthorizationRequest
Object analysis for a complete summary . It is roughly divided into the following two parts :
3.1 from AuthorizationGrantType Decisive
In different AuthorizationGrantType
Next pair OAuth2AuthorizationRequest
The carding of . The member variables involved are :
authorizationGrantType
, From configurationspring.security.client.registration.{registrationId}.authorizationGrantType
.responseType
, fromauthorizationGrantType
Value determination of , Refer to the following JSON.additionalParameters
, WhenauthorizationGrantType
The value isauthorization_code
Some additional parameters are required , Refer to the following JSON .attributes
, DifferentauthorizationGrantType
There are different attributes .
It's similar to{registrationId}
Formal representation of{registrationId}
It's a variable , for exampleregistrationId=gitee
.
stay OAuth2 Client configuration spring.security.client.registration.{registrationId}
There are five situations in the prefix of .
When scope
It doesn't contain openid
and client-authentication-method
Not for none
The four parameters mentioned above :
{
"authorizationGrantType": "authorization_code",
"responseType": "code",
"additionalParameters": {},
"attributes": {
"registration_id": "{registrationId}"
}
}
When scope
contain openid
and client-authentication-method
Not for none
The four parameters mentioned above :
{
"authorizationGrantType": "authorization_code",
"responseType": "code",
"additionalParameters": {
"nonce": "{nonce} Of Hash value "
},
"attributes": {
"registration_id": "{registrationId}",
"nonce": "{nonce}"
}
}
When scope
It doesn't contain openid
and client-authentication-method
by none
The four parameters mentioned above :
{
"authorizationGrantType": "authorization_code",
"responseType": "code",
"additionalParameters": {
"code_challenge": "{codeVerifier} Of Hash value ",
// code_challenge_method When it's not SHA256 Maybe not key
"code_challenge_method": "S256( If it is SHA256 Algorithmic words )"
},
"attributes": {
"registration_id": "{registrationId}",
"code_verifier": "Base64 Generated security {codeVerifier}"
}
}
When scope
contain openid
and client-authentication-method
by none
The four parameters mentioned above :
{
"authorizationGrantType": "authorization_code",
"responseType": "code",
"additionalParameters": {
"code_challenge": "{codeVerifier} Of Hash value ",
// code_challenge_method When it's not SHA256 Maybe not key
"code_challenge_method": "S256( If it is SHA256 Algorithmic words )",
"nonce": "{nonce} Of Hash value "
},
"attributes": {
"registration_id": "{registrationId}",
"code_verifier": "Base64 Generated security {codeVerifier}",
"nonce": "{nonce}"
}
}
implicit
It's much simpler :
{
"authorizationGrantType": "implicit",
"responseType": "token",
"attributes": {}
}
3.2 Fixed rules part
It's all kinds of different AuthorizationGrantType
Under the OAuth2AuthorizationRequest
Personalized value strategy of member variables of , There are also several parameters whose rules are fixed :
clientId
From configuration , It's the only identity given to us by the third party platform .authorizationUri
From configuration , Used to construct requests to third parties URL.scopes
From configuration , It's the scope that the third-party platform authorized us to delimit , It can be understood as a role .state
Automatically generated , In order to prevent csrf attack .authorizationRequestUri
Initiating authorization request to a third-party platform , You can go directly throughOAuth2AuthorizationRequest
To set or use the build class aboveauthorizationUri
And so on , We will analyze the structural mechanism later .redirectUri
WhenOAuth2AuthorizationRequest
After being received by a third party platform , Third party platforms will call back this URI To respond to authorization requests , The mechanism will be analyzed later .
authorizationRequestUri The construction mechanism of
If you don't explicitly provide authorizationRequestUri
Would pass OAuth2AuthorizationRequest
Medium
responseType
clientId
scopes
state
redirectUri
additionalParameters
According to the following rules to splice into
authorizationUri
Parameter string of , Parameter stringkey
andvalue
To carry out URI code .
authorizationUri?response_type={responseType.getValue()}&client_id={clientId}&scope={scopes Element one character space }&state={state}&redirect_uri={redirectUri}&{additionalParameter Expand to do the same thing KV Parameter string }
then OAuth2AuthorizationRequestRedirectFilter
Responsible for redirecting to authorizationRequestUri
Request authorization from a third party .
redirectUri
When a third party receives a response, it calls redirectUri
, Callback also has some default rules , It follows {baseUrl}/{action}/oauth2/code/{registrationId}
The path parameter rule of .
baseUrl
It's from us/oauth2/authorization
The underlying request path extracted from the request .action
, There are two default valueslogin
、authorize
, When/oauth2/authorization
The request containsaction
Parameters are based onaction
Fill in the value of .registrationId
I don't have to say much about that .
4. summary
Through to OAuth2AuthorizationRequest
The rules of the request object are analyzed in detail , We should be able to roughly know the filter OAuth2AuthorizationRequestRedirectFilter
technological process :
- Build through client configuration
ClientRegistration
, It can be persisted later . - Intercept
/oauth2/authorization
Request and constructOAuth2AuthorizationRequest
, And then redirect toauthorizationRequestUri
To request authorization . - Third party adoption
redirect_uri
Corresponding .
that Spring Security OAuth2 How to deal with the callback of the third party ? Focus on : Small fat man of minong
For you to find out the answer .
Official account :Felordcn Get more information