SpringBoot-OAuth2-JWT-WebFlux-ClientServer

发表于 更新于 分类于 置顶 精品
阅读次数: 本文字数: 3k 阅读时长 ≈ 11 分钟

摘要

依赖

  • springboot官方提供了支持

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
//webflux
implementation 'org.springframework.boot:spring-boot-starter-webflux'
implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'


//本项目使用了自定义授权页面,所以引入视图模板依赖和基于webjar的bootstrap,jquery
implementation 'org.springframework.boot:spring-boot-starter-thymeleaf'
//webjars https://www.webjars.org
implementation 'org.webjars:bootstrap:4.5.3'
implementation 'org.webjars.bower:jquery:3.5.1'
// 可以在html中去掉webjars的版本号,这样升级的时候直接修改上面引入的webjars中的版本号即可,页面中不需要修改
implementation 'org.webjars:webjars-locator:0.40'


//r2dbc mysql 库
implementation 'dev.miku:r2dbc-mysql'
//Spring r2dbc 抽象层
implementation 'org.springframework.boot:spring-boot-starter-data-r2dbc'

//本项目中使用了lombok减少代码量,非必须依赖
compileOnly 'org.projectlombok:lombok'
annotationProcessor 'org.projectlombok:lombok'

ReactiveSecurityConfig

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
package com.example.oauth2clientwebfluxdemo.config;


import com.example.oauth2clientwebfluxdemo.security.CustomReactiveAuthorizationManager;
import com.example.oauth2clientwebfluxdemo.security.CustomServerAccessDeniedHandler;
import com.example.oauth2clientwebfluxdemo.security.CustomServerAuthenticationEntryPoint;
import com.example.oauth2clientwebfluxdemo.security.CustomServerOAuth2AuthorizedClientRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.authentication.logout.RedirectServerLogoutSuccessHandler;
import org.springframework.security.web.server.authentication.logout.ServerLogoutSuccessHandler;

import java.net.URI;

/**
 * <h1>安全认证配置</h1>
 * Created by hanqf on 2020/11/19 10:26.
 */


@Configuration
@EnableWebFluxSecurity //必要
@EnableReactiveMethodSecurity //启用@PreAuthorize注解配置
public class ReactiveSecurityConfig {

    @Value("${oauth2.server.logout}")
    private String oauth2_server_logout;

    @Autowired
    private CustomServerAccessDeniedHandler customServerAccessDeniedHandler;

    @Autowired
    private CustomServerAuthenticationEntryPoint customServerAuthenticationEntryPoint;

    @Autowired
    private CustomReactiveAuthorizationManager customReactiveAuthorizationManager;

    @Autowired
    private CustomServerOAuth2AuthorizedClientRepository customServerOAuth2AuthorizedClientRepository;

    /**
     * 注册安全验证规则
     * 配置方式与HttpSecurity基本一致
     */
    @Bean
    SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { //定义SecurityWebFilterChain对安全进行控制,使用ServerHttpSecurity构造过滤器链;
        return http.authorizeExchange()
                //.anyExchange().authenticated() //所有请求都需要通过认证
                .pathMatchers("/").authenticated()
                //需要具备相应的角色才能访问
                .pathMatchers("/user/**", "/user2/**").hasAuthority("SCOPE_any")
                //不需要登录就可以访问
                .pathMatchers("/login","/webjars/**").permitAll()

                //其它路径需要根据指定的方法判断是否有权限访问,基于权限管理模型认证
                .anyExchange().access(customReactiveAuthorizationManager)
                //.anyExchange().permitAll()
                .and()
                .csrf().disable() //关闭CSRF(Cross-site request forgery)跨站请求伪造
                //必须post访问
                .logout().logoutUrl("/logout").logoutSuccessHandler(serverLogoutSuccessHandler())
                .and()

                //开启oauth2登录认证
                .oauth2Login()
                .and()
                //开启基于oauth2的客户端信息
                .oauth2Client()
                //客户端信息基于数据库,基于内存去掉下面配置即可
                .authorizedClientRepository(customServerOAuth2AuthorizedClientRepository)
                .and().exceptionHandling()
                .accessDeniedHandler(customServerAccessDeniedHandler)
                .authenticationEntryPoint(customServerAuthenticationEntryPoint)
                .and()
                .build();
    }


    /**
     * 退出重定向到认证登录页面,默认"/login?logout"
    */
    public ServerLogoutSuccessHandler serverLogoutSuccessHandler(){
        RedirectServerLogoutSuccessHandler redirectServerLogoutSuccessHandler = new RedirectServerLogoutSuccessHandler();
        redirectServerLogoutSuccessHandler.setLogoutSuccessUrl(URI.create(oauth2_server_logout));
        return redirectServerLogoutSuccessHandler;
    }
}

CustomReactiveAuthorizationManager

基于RBAC权限认证管理模型的认证方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
package com.example.oauth2resourceserverwebfluxdemo.security;

import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.ReactiveAuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.web.server.authorization.AuthorizationContext;
import org.springframework.stereotype.Component;
import org.springframework.util.AntPathMatcher;
import org.springframework.util.StringUtils;
import reactor.core.publisher.Mono;

import java.util.HashSet;
import java.util.Set;

/**
 * <h1>ReactiveAuthorizationManager</h1>
 * Created by hanqf on 2020/11/30 12:05.
 */

@Component
public class CustomReactiveAuthorizationManager implements ReactiveAuthorizationManager<AuthorizationContext> {
    @Override
    public Mono<AuthorizationDecision> check(Mono<Authentication> authentication, AuthorizationContext object) {
        return authentication.map(auth -> {
            ServerHttpRequest request = object.getExchange().getRequest();
            Object principal = auth.getPrincipal();
            String username;
            if (principal instanceof Jwt) {
                username = ((Jwt) principal).getClaimAsString("user_name");
            } else {
                username = principal.toString();
            }
            boolean hasPerssion = false;
            if (StringUtils.hasText(username) && !"anonymousUser".equals(username)) {
                //根据用户名查询用户资源权限,这里应该访问数据库查询
                Set<String> uris = new HashSet<>();
                for (String uri : uris) {
                    //验证用户拥有的资源权限是否与请求的资源相匹配
                    if (new AntPathMatcher().match(uri, request.getURI().toString())) {
                        hasPerssion = true;
                        break;
                    }
                }
            }

            //暂时全部返回true
            hasPerssion = true;
            return new AuthorizationDecision(hasPerssion);
        });
    }
}

CustomServerAccessDeniedHandler

没有权限时的处理方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
package com.example.oauth2resourceserverwebfluxdemo.security;


import com.example.oauth2resourceserverwebfluxdemo.exception.AjaxResponse;
import com.example.oauth2resourceserverwebfluxdemo.exception.CustomException;
import com.example.oauth2resourceserverwebfluxdemo.exception.CustomExceptionType;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import lombok.SneakyThrows;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/**
 * <h1>没有权限时的处理方式</h1>
 * Created by hanqf on 2020/11/20 11:56.
 */

@Component
public class CustomServerAccessDeniedHandler implements ServerAccessDeniedHandler {
    @SneakyThrows
    @Override
    public Mono<Void> handle(ServerWebExchange serverWebExchange, AccessDeniedException e) {
        return setErrorResponse(serverWebExchange.getResponse(),e.getMessage());
    }

    protected Mono<Void> setErrorResponse(ServerHttpResponse response, String message) throws JsonProcessingException {
        response.getHeaders().setContentType(MediaType.APPLICATION_JSON);
        ObjectMapper objectMapper = new ObjectMapper();
        AjaxResponse ajaxResponse = AjaxResponse.error(new CustomException(CustomExceptionType.USER_INPUT_ERROR, message));
        return response.writeWith(Mono.just(response.bufferFactory().wrap(objectMapper.writeValueAsBytes(ajaxResponse))));

    }
}

CustomServerAuthenticationEntryPoint

token格式错误或过期时的处理方式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
package com.example.oauth2resourceserverwebfluxdemo.security;


import com.example.oauth2resourceserverwebfluxdemo.exception.AjaxResponse;
import com.example.oauth2resourceserverwebfluxdemo.exception.CustomException;
import com.example.oauth2resourceserverwebfluxdemo.exception.CustomExceptionType;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import lombok.SneakyThrows;
import org.springframework.http.MediaType;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/**
 * <h1>ServerAuthenticationEntryPoint</h1>
 * Created by hanqf on 2020/11/20 12:01.
 * <p>
 * token格式错误或过期时的处理方式
 */
@Component
public class CustomServerAuthenticationEntryPoint implements ServerAuthenticationEntryPoint {
    @SneakyThrows
    @Override
    public Mono<Void> commence(ServerWebExchange serverWebExchange, AuthenticationException e) {
        return setErrorResponse(serverWebExchange.getResponse(), e.getMessage());
    }

    protected Mono<Void> setErrorResponse(ServerHttpResponse response, String message) throws JsonProcessingException {
        response.getHeaders().setContentType(MediaType.APPLICATION_JSON);
        ObjectMapper objectMapper = new ObjectMapper();
        AjaxResponse ajaxResponse = AjaxResponse.error(new CustomException(CustomExceptionType.USER_INPUT_ERROR, message));
        return response.writeWith(Mono.just(response.bufferFactory().wrap(objectMapper.writeValueAsBytes(ajaxResponse))));

    }
}

WebFluxConfig

配置跨域

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
package com.example.oauth2resourceserverwebfluxdemo.config;

import org.springframework.context.annotation.Configuration;
import org.springframework.web.reactive.config.CorsRegistry;
import org.springframework.web.reactive.config.WebFluxConfigurer;

/**
 * <h1>WebFlux配置类</h1>
 * Created by hanqf on 2020/11/18 17:43.
 *
 * 我们若需要配置Spring WebFlux只需让配置配实现接口WebFluxConfigurer,
 * 这样我们既能保留Spring Boot给WebFlux配置又能添加我们的定制配置。
 * 若我们向完全控制WebFlux,则在配置类添加注解@EnableWebFlux
 * 配置方式和Spring MVC类似
 */

@Configuration
public class WebFluxConfig implements WebFluxConfigurer {

    //跨域设置
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**") //添加映射路径,“/**”表示对所有的路径实行全局跨域访问权限的设置
                .allowedMethods("GET","POST", "PUT", "DELETE") //开放哪些Http方法,允许跨域访问
                .allowedHeaders("*") //允许HTTP请求中的携带哪些Header信息
                //When allowCredentials is true, allowedOrigins cannot contain the special value "*"since that cannot be set on the "Access-Control-Allow-Origin" response header.
                // To allow credentials to a set of origins, list them explicitly or consider using "allowedOriginPatterns" instead.
                //.allowedOrigins("*") //开放哪些ip、端口、域名的访问权限
                .allowedOriginPatterns("*")
                .allowCredentials(true); //是否允许发送Cookie信息

    }
}

CustomServerOAuth2AuthorizedClientRepository

基于jdbc存储token信。

这里有一个注意事项:查询时不要使用.fetch()方法,其会按照字段名称的字母排序进行赋值,导致结果中key和value匹配混乱

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
package com.example.oauth2clientwebfluxdemo.security;


import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.DataRetrievalFailureException;
import org.springframework.r2dbc.core.DatabaseClient;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.web.server.ServerOAuth2AuthorizedClientRepository;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

import javax.annotation.Resource;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.util.Collections;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;

/**
 * <h1>ServerOAuth2AuthorizedClientRepository</h1>
 * Created by hanqf on 2020/12/1 09:58.
 */

@Component
@Slf4j
public class CustomServerOAuth2AuthorizedClientRepository implements ServerOAuth2AuthorizedClientRepository {
    // @formatter:off
    private static final String COLUMN_NAMES = "client_registration_id, "
            + "principal_name, "
            + "access_token_type, "
            + "access_token_value, "
            + "access_token_issued_at, "
            + "access_token_expires_at, "
            + "access_token_scopes, "
            + "refresh_token_value, "
            + "refresh_token_issued_at";


    private static final String TABLE_NAME = "oauth2_authorized_client";
    private static final String PK_FILTER = "client_registration_id = ? AND principal_name = ?";
    // @formatter:on
    // @formatter:off
    private static final String LOAD_AUTHORIZED_CLIENT_SQL = "SELECT " + COLUMN_NAMES
            + " FROM " + TABLE_NAME
            + " WHERE " + PK_FILTER;

    // @formatter:off
    private static final String SAVE_AUTHORIZED_CLIENT_SQL = "INSERT INTO " + TABLE_NAME
            + " (" + COLUMN_NAMES + ") VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)";
    private static final String REMOVE_AUTHORIZED_CLIENT_SQL = "DELETE FROM " + TABLE_NAME + " WHERE " + PK_FILTER;
    // @formatter:on
    // @formatter:off
    private static final String UPDATE_AUTHORIZED_CLIENT_SQL = "UPDATE " + TABLE_NAME
            + " SET access_token_type = ?, access_token_value = ?, access_token_issued_at = ?,"
            + " access_token_expires_at = ?, access_token_scopes = ?,"
            + " refresh_token_value = ?, refresh_token_issued_at = ?"
            + " WHERE " + PK_FILTER;
    // @formatter:on
    @Resource
    private DatabaseClient databaseClient;
    @Autowired
    private ReactiveClientRegistrationRepository reactiveClientRegistrationRepository;
    // @formatter:on

    /**
     * 这里有一个注意事项:查询时不要使用.fetch()方法,其会按照字段名称的字母排序进行赋值,导致结果中key和value匹配混乱
    */
    @Override
    public <T extends OAuth2AuthorizedClient> Mono<T> loadAuthorizedClient(String clientRegistrationId, Authentication principal, ServerWebExchange exchange) {
        Assert.hasText(clientRegistrationId, "clientRegistrationId cannot be empty");
        Assert.hasText(principal.getName(), "principalName cannot be empty");

        Mono<OAuth2AuthorizedClient> oAuth2AuthorizedClientMono = databaseClient.sql(LOAD_AUTHORIZED_CLIENT_SQL)
                .bind(0, clientRegistrationId)
                .bind(1, principal.getName())
                .map(row -> {
                    String clientRegistrationId1 = row.get("client_registration_id", String.class);
                    String access_token_type = row.get("access_token_type", String.class);


                    OAuth2AccessToken.TokenType tokenType = null;
                    if (OAuth2AccessToken.TokenType.BEARER.getValue().equalsIgnoreCase(access_token_type)) {
                        tokenType = OAuth2AccessToken.TokenType.BEARER;
                    }

                    String tokenValue = new String(row.get("access_token_value", byte[].class), StandardCharsets.UTF_8);
                    Instant issuedAt = row.get("access_token_issued_at", LocalDateTime.class).atZone(ZoneId.systemDefault()).toInstant();
                    Instant expiresAt = row.get("access_token_expires_at", LocalDateTime.class).atZone(ZoneId.systemDefault()).toInstant();
                    Set<String> scopes = Collections.emptySet();
                    String accessTokenScopes = row.get("access_token_scopes", String.class);
                    if (accessTokenScopes != null) {
                        scopes = StringUtils.commaDelimitedListToSet(accessTokenScopes);
                    }
                    OAuth2AccessToken accessToken = new OAuth2AccessToken(tokenType, tokenValue, issuedAt, expiresAt, scopes);
                    OAuth2RefreshToken refreshToken = null;
                    byte[] refreshTokenValue = row.get("refresh_token_value", byte[].class);
                    if (refreshTokenValue != null) {
                        tokenValue = new String(refreshTokenValue, StandardCharsets.UTF_8);
                        issuedAt = null;
                        LocalDateTime refreshTokenIssuedAt = row.get("refresh_token_issued_at", LocalDateTime.class);
                        if (refreshTokenIssuedAt != null) {
                            issuedAt = refreshTokenIssuedAt.atZone(ZoneId.systemDefault()).toInstant();
                        }
                        refreshToken = new OAuth2RefreshToken(tokenValue, issuedAt);
                    }
                    String principalName = row.get("principal_name", String.class);

                    final OAuth2RefreshToken refreshToken1 = refreshToken;

                    Mono<ClientRegistration> clientRegistrationMono = reactiveClientRegistrationRepository
                            .findByRegistrationId(clientRegistrationId1);
                    return clientRegistrationMono
                            .switchIfEmpty(Mono.error(new DataRetrievalFailureException(
                                    "The ClientRegistration with id '" + clientRegistrationId1 + "' exists in the data source, "
                                            + "however, it was not found in the ClientRegistrationRepository.")))
                            .map(clientRegistration -> new OAuth2AuthorizedClient(clientRegistration, principalName, accessToken, refreshToken1));
                }).first().flatMap(oAuth2AuthorizedClientMono1 -> oAuth2AuthorizedClientMono1);

        return (Mono<T>) oAuth2AuthorizedClientMono.doOnNext(unused -> log.info("select client token info success!"));
    }

    @Override
    public Mono<Void> saveAuthorizedClient(OAuth2AuthorizedClient authorizedClient, Authentication principal, ServerWebExchange exchange) {

        Assert.notNull(authorizedClient, "authorizedClient cannot be null");
        Assert.notNull(principal, "principal cannot be null");

        return this.loadAuthorizedClient(authorizedClient.getClientRegistration().getRegistrationId(), principal, exchange)
                 .flatMap((Function<OAuth2AuthorizedClient, Mono<Optional<OAuth2AuthorizedClient>>>) oAuth2AuthorizedClient -> Mono.just(Optional.of(oAuth2AuthorizedClient)))
                 .defaultIfEmpty(Optional.empty())
                 .flatMap((Function<Optional<OAuth2AuthorizedClient>, Mono<Void>>) oAuth2AuthorizedClient -> {
                     if(!oAuth2AuthorizedClient.isPresent()){
                         return insertAuthorizedClient(authorizedClient,principal);
                     }else {
                         return updateAuthorizedClient(authorizedClient, principal);
                     }
                 });
    }

    private Mono<Void> updateAuthorizedClient(OAuth2AuthorizedClient authorizedClient, Authentication principal) {
        return databaseClient.sql(UPDATE_AUTHORIZED_CLIENT_SQL)
                .bind(0, authorizedClient.getAccessToken().getTokenType().getValue())
                .bind(1, authorizedClient.getAccessToken().getTokenValue().getBytes(StandardCharsets.UTF_8))
                .bind(2, timeFromInstant(authorizedClient.getAccessToken().getIssuedAt()))
                .bind(3, timeFromInstant(authorizedClient.getAccessToken().getExpiresAt()))
                .bind(4, StringUtils.collectionToCommaDelimitedString(authorizedClient.getAccessToken().getScopes()))
                .bind(5, authorizedClient.getRefreshToken().getTokenValue().getBytes(StandardCharsets.UTF_8))
                .bind(6, timeFromInstant(authorizedClient.getRefreshToken().getIssuedAt()))
                .bind(7, authorizedClient.getClientRegistration().getRegistrationId())
                .bind(8, principal.getName())
                .then()
                .doOnNext(unused -> log.info("update client token info success!"));
    }

    private Mono<Void> insertAuthorizedClient(OAuth2AuthorizedClient authorizedClient, Authentication principal) {
        return databaseClient.sql(SAVE_AUTHORIZED_CLIENT_SQL)
                .bind(0, authorizedClient.getClientRegistration().getRegistrationId())
                .bind(1, principal.getName())
                .bind(2, authorizedClient.getAccessToken().getTokenType().getValue())
                .bind(3, authorizedClient.getAccessToken().getTokenValue().getBytes(StandardCharsets.UTF_8))
                .bind(4, timeFromInstant(authorizedClient.getAccessToken().getIssuedAt()))
                .bind(5, timeFromInstant(authorizedClient.getAccessToken().getExpiresAt()))
                .bind(6, StringUtils.collectionToCommaDelimitedString(authorizedClient.getAccessToken().getScopes()))
                .bind(7, authorizedClient.getRefreshToken().getTokenValue().getBytes(StandardCharsets.UTF_8))
                .bind(8, timeFromInstant(authorizedClient.getRefreshToken().getIssuedAt()))
                .then()
                .doOnNext(unused -> log.info("insert client token info success!"));
    }

    @Override
    public Mono<Void> removeAuthorizedClient(String clientRegistrationId, Authentication principal, ServerWebExchange exchange) {

        Assert.hasText(clientRegistrationId, "clientRegistrationId cannot be empty");
        Assert.hasText(principal.getName(), "principalName cannot be empty");

        return databaseClient.sql(REMOVE_AUTHORIZED_CLIENT_SQL)
                .bind(0, clientRegistrationId)
                .bind(1, principal.getName())
                .then()
                .doOnNext(unused -> log.info("remove client token info success!"));
    }

    private String timeFromInstant(Instant instant) {
        return DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss").format(LocalDateTime.ofInstant(instant, ZoneId.systemDefault()));
    }

}

AuthController

自定义登录跳转页面

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
package com.example.oauth2clientwebfluxdemo.controller;

import com.example.oauth2clientwebfluxdemo.security.CustomServerOAuth2AuthorizedClientRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.client.registration.InMemoryReactiveClientRegistrationRepository;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;

import java.util.HashMap;
import java.util.Map;

/**
 * <h1>login</h1>
 * Created by hanqf on 2020/11/30 18:02.
 */

@Controller
public class AuthController {

    @Autowired
    ReactiveClientRegistrationRepository reactiveClientRegistrationRepository;

    @GetMapping("/login")
    public String login(Model model) {
        Map<String, String> map = new HashMap<>();
        if (reactiveClientRegistrationRepository instanceof InMemoryReactiveClientRegistrationRepository) {
            ((InMemoryReactiveClientRegistrationRepository) reactiveClientRegistrationRepository).forEach(registrations -> {
                String registrationId = registrations.getRegistrationId();
                String clientName = registrations.getClientName();
                System.out.println(registrationId + "---" + clientName);
                map.put(registrationId, clientName);
            });
        }
        model.addAttribute("registrations", map);

        return "oauth2/login";
    }

}

login.html

自定义登录页面

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
    <meta charset="UTF-8"/>
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <title>登录</title>

    <link rel="stylesheet" th:href="@{/webjars/bootstrap/css/bootstrap.min.css}"/>

    <script th:src="@{/webjars/jquery/jquery.min.js}"></script>
    <script th:src="@{/webjars/bootstrap/js/bootstrap.min.js}"></script>

</head>
<body>

<div class="container">
    <h2 class="form-signin-heading">Login with OAuth 2.0</h2>
    <table class="table table-striped">

        <tr th:each="registration: ${registrations}">
            <td><a th:href="@{'/oauth2/authorization/'+${registration.key}}" th:text="${registration.value}"></a></td>
        </tr>

    </table>
</div>

<form th:action="@{/logout}" class="container" method="post">
    <button type="submit">Logout</button>
</form>
</body>
</html>

application.yml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

server:
  port: 8099

oauth2:
  server:
    url: http://localhost:8080
    logout: ${oauth2.server.url}/logout #认证服务器logout地址


spring:
  application:
    name: oauth2-client-webflux
  #资源国际化
  messages:
    basename: static/i18n/messages
    encoding: utf-8

  #thymeleaf
  thymeleaf:
    cache: false
    enabled: true
    encoding: UTF-8
    mode: HTML
    prefix: classpath:/templates/
    servlet:
      content-type: text/html
    suffix: .html


  #r2dbc mysql
  r2dbc:
    url: r2dbc:mysql://localhost:3306/springboot?useUnicode=true&characterEncoding=utf-8&useTimezone=true&serverTimezone=GMT%2B8
    username: root
    password: newpwd
    pool:
      enabled: true
      initial-size: 5
      max-size: 20
      max-idle-time: 30m



  #oauth2
  # 支持多客户端认证方式
  security:
    oauth2:
      client:
        registration:
          # /oauth2/authorization/flux-client # 认证地址
          flux-client: # 注册名称
            client-id: postman # 客户端登录用户名称
            client-secret: postman # 客户端登录密码
            authorization-grant-type: authorization_code #认证方式为code
            #回调地址,需要配置到认证服务器中
            redirect-uri: http://localhost:8099/login/oauth2/code/flux-client
            scope: any #授权范围
            client-name: 客户端1 #显示名称
#          # /oauth2/authorization/flux-client2
          flux-client2:
            client-id: demo-client
            client-secret: demo-client
            authorization-grant-type: authorization_code
            redirect-uri: http://localhost:8099/login/oauth2/code/flux-client2
            scope: any
            client-name: 客户端2


          google: # google
            client-id: xxxxxxxxx
            client-secret: xxxxxxx
            client-name: Google认证


          facebook: # facebook
            client-id: xxxxxxxxx
            client-secret: xxxxxxx
            client-name: Facebook认证


          github: # github
            client-id: xxxxxxxxx
            client-secret: xxxxxxx
            client-name: Github认证

        provider:
          flux-client: # 注册客户端的认证信息
            authorization-uri: ${oauth2.server.url}/oauth/authorize # 认证服务器授权地址
            token-uri: ${oauth2.server.url}/oauth/token # 认证服务器token地址
            user-info-uri: http://localhost:8080/userInfo # 认证服务器用户信息地址
            userNameAttribute: username # 指定user-info-uri返回map中的属性名称用于表示用户名
          flux-client2:
            authorization-uri: ${oauth2.server.url}/oauth/authorize
            token-uri: ${oauth2.server.url}/oauth/token
            user-info-uri: http://localhost:8080/userInfo
            userNameAttribute: username
debug: true

# 可以打印sql
logging:
  level:
    org.springframework.data.r2dbc: DEBUG

ResController

请求资源服务示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
package com.example.oauth2clientwebfluxdemo.controller;

import com.example.oauth2clientwebfluxdemo.exception.AjaxResponse;
import com.example.oauth2clientwebfluxdemo.exception.CustomException;
import com.example.oauth2clientwebfluxdemo.exception.CustomExceptionType;
import com.example.oauth2clientwebfluxdemo.security.CustomServerOAuth2AuthorizedClientRepository;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpHeaders;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.reactive.function.client.WebClient;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

import java.util.HashMap;
import java.util.Map;

/**
 * <h1>获取资源服务器数据</h1>
 * Created by hanqf on 2020/11/7 22:47.
 */

@RestController
@RequestMapping("/res")
public class ResController {

    private static final WebClient CLIENT = WebClient.create("http://localhost:8083");


    @Autowired
    private CustomServerOAuth2AuthorizedClientRepository customServerOAuth2AuthorizedClientRepository;

    /**
     * 获取资源服务器的数据
     */
    @RequestMapping("/res1")
    public Mono<AjaxResponse> getRes(Authentication principal, ServerWebExchange exchange) {
        if (principal instanceof OAuth2AuthenticationToken) {
            String authorizedClientRegistrationId = ((OAuth2AuthenticationToken) principal).getAuthorizedClientRegistrationId();
            Mono<OAuth2AuthorizedClient> oAuth2AuthorizedClientMono = customServerOAuth2AuthorizedClientRepository.loadAuthorizedClient(authorizedClientRegistrationId, principal, exchange);

            return oAuth2AuthorizedClientMono.flatMap(client -> {
                String tokenValue = client.getAccessToken().getTokenValue();
                String tokenType = client.getAccessToken().getTokenType().getValue();
                return CLIENT.get()
                        .uri("/res/res1")
                        //增加了Bearer安全认证,所以这里需要传递header认证信息
                        .header(HttpHeaders.AUTHORIZATION,
                                tokenType + " " + tokenValue)
                        .retrieve()//异步接收服务端响应
                        .bodyToMono(AjaxResponse.class)
                        .retry(3)
                        .defaultIfEmpty(AjaxResponse.success("返回结果为Null"));
            });
        } else {
            return Mono.just(AjaxResponse.error(new CustomException(CustomExceptionType.SYSTEM_ERROR,"Authentication类型转换异常")));
        }
    }

    @RequestMapping("/user")
    public Mono<AjaxResponse> getUser(Authentication principal, ServerWebExchange exchange) {
        if (principal instanceof OAuth2AuthenticationToken) {
            String authorizedClientRegistrationId = ((OAuth2AuthenticationToken) principal).getAuthorizedClientRegistrationId();
            Mono<OAuth2AuthorizedClient> oAuth2AuthorizedClientMono = customServerOAuth2AuthorizedClientRepository.loadAuthorizedClient(authorizedClientRegistrationId, principal, exchange);

            return oAuth2AuthorizedClientMono.flatMap(client -> {
                String tokenValue = client.getAccessToken().getTokenValue();
                String tokenType = client.getAccessToken().getTokenType().getValue();
                return CLIENT.post()
                        .uri("/user")
                        //增加了Bearer安全认证,所以这里需要传递header认证信息
                        .header(HttpHeaders.AUTHORIZATION,
                                tokenType + " " + tokenValue)
                        .retrieve()//异步接收服务端响应
                        .bodyToMono(AjaxResponse.class)
                        .retry(3)
                        .defaultIfEmpty(AjaxResponse.success("返回结果为Null"));
            });
        } else {
            return Mono.just(AjaxResponse.error(new CustomException(CustomExceptionType.SYSTEM_ERROR,"Authentication类型转换异常")));
        }
    }

    @RequestMapping("/rbac")
    public Mono<AjaxResponse> getRbac(Authentication principal, ServerWebExchange exchange) {
        if (principal instanceof OAuth2AuthenticationToken) {
            String authorizedClientRegistrationId = ((OAuth2AuthenticationToken) principal).getAuthorizedClientRegistrationId();
            Mono<OAuth2AuthorizedClient> oAuth2AuthorizedClientMono = customServerOAuth2AuthorizedClientRepository.loadAuthorizedClient(authorizedClientRegistrationId, principal, exchange);

            return oAuth2AuthorizedClientMono.flatMap(client -> {
                String tokenValue = client.getAccessToken().getTokenValue();
                String tokenType = client.getAccessToken().getTokenType().getValue();
                return CLIENT.get()
                        .uri("/rbac")
                        //增加了Bearer安全认证,所以这里需要传递header认证信息
                        .header(HttpHeaders.AUTHORIZATION,
                                tokenType + " " + tokenValue)
                        .retrieve()//异步接收服务端响应
                        .bodyToMono(AjaxResponse.class)
                        .retry(3)
                        .defaultIfEmpty(AjaxResponse.success("返回结果为Null"));
            });
        } else {
            return Mono.just(AjaxResponse.error(new CustomException(CustomExceptionType.SYSTEM_ERROR,"Authentication类型转换异常")));
        }
    }

    @RequestMapping("/userInfo")
    public Mono<Map> getuserInfo(Authentication principal, ServerWebExchange exchange) {
        if (principal instanceof OAuth2AuthenticationToken) {
            String authorizedClientRegistrationId = ((OAuth2AuthenticationToken) principal).getAuthorizedClientRegistrationId();
            Mono<OAuth2AuthorizedClient> oAuth2AuthorizedClientMono = customServerOAuth2AuthorizedClientRepository.loadAuthorizedClient(authorizedClientRegistrationId, principal, exchange);

            return oAuth2AuthorizedClientMono.flatMap(client -> {
                String tokenValue = client.getAccessToken().getTokenValue();
                String tokenType = client.getAccessToken().getTokenType().getValue();
                return CLIENT.get()
                        .uri("/userInfo")
                        //增加了Bearer安全认证,所以这里需要传递header认证信息
                        .header(HttpHeaders.AUTHORIZATION,
                                tokenType + " " + tokenValue)
                        .retrieve()//异步接收服务端响应
                        .bodyToMono(Map.class)
                        .retry(3)
                        .defaultIfEmpty(new HashMap());
            });
        } else {
            return Mono.error(new CustomException(CustomExceptionType.SYSTEM_ERROR,"Authentication类型转换异常"));
        }
    }

}