java - spring oauth2sso 是如何工作的？为什么会发生这个重定向序列？

Question

我想编写 hello world 示例来理解 SSO/oauth2

我举了以下例子:

http://www.baeldung.com/sso-spring-security-oauth2

首先我需要说它工作正常。我的问题是它为什么有效。

我的问题与客户端应用程序有关。这是一个简单的应用程序，仅包含几个类。最重要的类是:

UiSecurityConfig:

@Configuration
@EnableOAuth2Sso
public class UiSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.antMatcher("/**")
          .authorizeRequests()
          .antMatchers("/", "/login**")
          .permitAll()
          .anyRequest()
          .authenticated();
    }
}

UiWebConfig:

@Configuration
@EnableWebMvc
public class UiWebConfig extends WebMvcConfigurerAdapter {

    @Bean
    public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
        return new PropertySourcesPlaceholderConfigurer();
    }

    @Override
    public void configureDefaultServletHandling(final DefaultServletHandlerConfigurer configurer) {
        configurer.enable();
    }

    @Override
    public void addViewControllers(final ViewControllerRegistry registry) {
        super.addViewControllers(registry);
        registry.addViewController("/")
            .setViewName("forward:/index");
        registry.addViewController("/index");
        registry.addViewController("/securedPage");
    }

    @Override
    public void addResourceHandlers(final ResourceHandlerRegistry registry) {
        registry.addResourceHandler("/resources/**")
            .addResourceLocations("/resources/");
    }

}

以及以下配置:

server:
    port: 8082
    context-path: /ui
    session:
      cookie:
        name: UISESSION
security:
  basic:
    enabled: false
  oauth2:
    client:
      clientId: SampleClientId
      clientSecret: secret
      accessTokenUri: http://localhost:8081/auth/oauth/token
      userAuthorizationUri: http://localhost:8081/auth/oauth/authorize
    resource:
      userInfoUri: http://localhost:8081/auth/user/me
spring:
  thymeleaf:
    cache: false

问题:
1.当我启动应用程序并点击链接http://localhost:8082/ui/时我看到登录页面。

此页面包含以下href:

<a class="btn btn-primary" href="securedPage">Login</a>

当我点击这个 href 时，某种魔法发生了，在网络选项卡中我看到: 正如你所看到的
1. http://localhost:8082/ui/securedPage 重定向到 http://localhost:8082/ui/login
2. http://localhost:8082/ui/login 重定向到 http://localhost:8081/auth/oauth/authorize?client_id=SampleClientId&redirect_uri=http://localhost:8082/ui/login&response_type=code&state=DuO4CX (!!!另一个域!!!如何？)
3. http://localhost:8081/auth/oauth/authorize?client_id=SampleClientId&redirect_uri=http://localhost:8082/ui/login&response_type=code&state=DuO4CX 重定向到 http:///localhost:8081/auth/login 我看到登录表单，我可以在其中输入凭据

我不明白为什么会这样。
1.为什么http://localhost:8082/ui/securedPage重定向到http://localhost:8082/ui/login？ ？ 我没有这个网址的映射。当我启动应用程序时，我看到以下映射日志:​​

2018-04-12 19:50:04.069  INFO 4388 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Root mapping to handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2018-04-12 19:50:04.069  INFO 4388 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/index] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2018-04-12 19:50:04.069  INFO 4388 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/securedPage] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2018-04-12 19:50:04.085  INFO 4388 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/resources/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2018-04-12 19:50:04.088  INFO 4388 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/**] onto handler of type [class org.springframework.web.servlet.resource.DefaultServletHttpRequestHandler]

所有后续步骤也不清楚。请详细解释一下。

Answer 1

http://localhost:8082/ui/login 未显示在映射 URL 列表中，因为它由启动身份验证流程的 OAuth2ClientAuthenticationProcessingFilter 处理。

我认为解释所有步骤的最佳方法是使用 OAuth 2.0 specification .

以下是流程方案:

 +----------+
 | Resource |
 |   Owner  |
 |          |
 +----------+
      ^
      |
     (B)
 +----|-----+          Client Identifier      +---------------+
 |         -+----(A)-- & Redirection URI ---->|               |
 |  User-   |                                 | Authorization |
 |  Agent  -+----(B)-- User authenticates --->|     Server    |
 |          |                                 |               |
 |         -+----(C)-- Authorization Code ---<|               |
 +-|----|---+                                 +---------------+
   |    |                                         ^      v
  (A)  (C)                                        |      |
   |    |                                         |      |
   ^    v                                         |      |
 +---------+                                      |      |
 |         |>---(D)-- Authorization Code ---------'      |
 |  Client |          & Redirection URI                  |
 |         |                                             |
 |         |<---(E)----- Access Token -------------------'
 +---------+       (w/ Optional Refresh Token)

资源所有者 - 它是用户
用户代理 - 用户的浏览器
客户 - Web application deployed on 8082 port
授权服务器 - Web application deployed on 8081 port

(A) The client initiates the flow by directing the resource owner's user-agent to the authorization endpoint. The client includes its client identifier, requested scope, local state, and a redirection URI to which the authorization server will send the user-agent back once access is granted (or denied).

在您的情况下，当用户尝试访问 securedPage 时，她会被重定向到 http://localhost:8082/ui/login，从而启动身份验证流程。< br/> 之后，用户将被重定向到授权端点。在您的情况下，它是 http://localhost:8081/auth/oauth/authorize。

(B) The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request.

此处用户被重定向到授权服务器登录页面 (http://localhost:8081/auth/login)。

(C) Assuming the resource owner grants access, the authorization server redirects the user-agent back to the client using the redirection URI provided earlier (in the request or during client registration). The redirection URI includes an authorization code and any local state provided by the client earlier.

如果身份验证成功，则使用授权端点请求中步骤 (A) 中提供的 URL 将用户重定向回客户端。在您的情况下，它是 &redirect_uri=http://localhost:8082/ui/login。重定向包含授权服务器生成的授权码。

(D) The client requests an access token from the authorization server's token endpoint by including the authorization code received in the previous step. When making the request, the client authenticates with the authorization server. The client includes the redirection URI used to obtain the authorization code for verification.

(E) The authorization server authenticates the client, validates the authorization code, and ensures that the redirection URI received matches the URI used to redirect the client in step (C). If valid, the authorization server responds back with an access token and, optionally, a refresh token.

客户端使用授权代码从 token 端点获取访问 token (http://localhost:8081/auth/oauth/token)。访问 token 用于访问 protected 资源。在您的情况下，它是 http://localhost:8081/auth/user/me 用于获取有关用户的信息。此信息用于填充安全上下文。