当前位置：首页 > news >正文

Spring Security OAuth2.1：现代化身份认证

news 2026/5/8 23:11:03

Spring Security OAuth2.1：现代化身份认证

核心概念

Spring Security OAuth2.1 是 Spring Security 提供的现代化身份认证解决方案，支持 OAuth 2.1 规范，提供了完整的认证和授权功能。OAuth2.1 对 OAuth 2.0 进行了改进，移除了不安全的隐式流，推荐使用授权码流，并增强了安全性。

OAuth2.1 的核心组件

Authorization Server：授权服务器，负责颁发令牌
Resource Server：资源服务器，保护受保护的资源
Client：客户端应用，请求访问资源
Resource Owner：资源所有者，授权客户端访问其资源

授权服务器配置

// 授权服务器配置 @Configuration @EnableAuthorizationServer public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { private final AuthenticationManager authenticationManager; private final DataSource dataSource; private final PasswordEncoder passwordEncoder; public AuthorizationServerConfig(AuthenticationManager authenticationManager, DataSource dataSource, PasswordEncoder passwordEncoder) { this.authenticationManager = authenticationManager; this.dataSource = dataSource; this.passwordEncoder = passwordEncoder; } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.jdbc(dataSource) .withClient("client-id") .secret(passwordEncoder.encode("client-secret")) .authorizedGrantTypes("authorization_code", "refresh_token") .scopes("read", "write") .redirectUris("http://localhost:8080/callback") .accessTokenValiditySeconds(3600) .refreshTokenValiditySeconds(86400); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints .authenticationManager(authenticationManager) .tokenStore(tokenStore()) .approvalStore(approvalStore()) .authorizationCodeServices(authorizationCodeServices()); } @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { security .tokenKeyAccess("permitAll()") .checkTokenAccess("isAuthenticated()") .allowFormAuthenticationForClients(); } @Bean public TokenStore tokenStore() { return new JdbcTokenStore(dataSource); } @Bean public ApprovalStore approvalStore() { return new JdbcApprovalStore(dataSource); } @Bean public AuthorizationCodeServices authorizationCodeServices() { return new JdbcAuthorizationCodeServices(dataSource); } }

资源服务器配置

// 资源服务器配置 @Configuration @EnableResourceServer public class ResourceServerConfig extends ResourceServerConfigurerAdapter { @Override public void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers("/api/public/**").permitAll() .antMatchers("/api/users/**").hasAuthority("SCOPE_read") .antMatchers("/api/admin/**").hasAuthority("SCOPE_write") .anyRequest().authenticated(); } @Override public void configure(ResourceServerSecurityConfigurer resources) throws Exception { resources .resourceId("resource-id") .tokenStore(tokenStore()); } @Bean public TokenStore tokenStore() { return new JdbcTokenStore(dataSource()); } @Bean @ConfigurationProperties(prefix = "spring.datasource") public DataSource dataSource() { return DataSourceBuilder.create().build(); } }

安全配置

// 安全配置 @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(userDetailsService) .passwordEncoder(passwordEncoder()); } @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .authorizeRequests() .antMatchers("/oauth/**", "/login/**", "/logout/**").permitAll() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .logoutSuccessUrl("/login?logout") .permitAll(); } @Override @Bean public AuthenticationManager authenticationManagerBean() throws Exception { return super.authenticationManagerBean(); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } }

JWT 令牌配置

// JWT 令牌配置 @Configuration public class JwtTokenConfig { @Bean public TokenStore tokenStore() { return new JwtTokenStore(jwtAccessTokenConverter()); } @Bean public JwtAccessTokenConverter jwtAccessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey("my-signing-key"); return converter; } @Bean public TokenEnhancer tokenEnhancer() { return (accessToken, authentication) -> { Map<String, Object> additionalInfo = new HashMap<>(); additionalInfo.put("customClaim", "customValue"); ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo); return accessToken; }; } }

客户端配置

// OAuth2 客户端配置 @Configuration public class OAuth2ClientConfig { @Bean @ConfigurationProperties("spring.security.oauth2.client.registration.my-client") public ClientRegistration clientRegistration() { return ClientRegistration.withRegistrationId("my-client") .clientId("client-id") .clientSecret("client-secret") .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .redirectUri("{baseUrl}/login/oauth2/code/{registrationId}") .scope("read", "write") .authorizationUri("http://localhost:8080/oauth/authorize") .tokenUri("http://localhost:8080/oauth/token") .userInfoUri("http://localhost:8080/userinfo") .userNameAttributeName(IdTokenClaimNames.SUB) .clientName("My Client") .build(); } @Bean public OAuth2AuthorizedClientService authorizedClientService( ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientRepository authorizedClientRepository) { return new DefaultOAuth2AuthorizedClientService(clientRegistrationRepository); } @Bean public OAuth2AuthorizedClientRepository authorizedClientRepository() { return new InMemoryOAuth2AuthorizedClientRepository(); } }

自定义用户信息

// 自定义用户详情服务 @Service public class CustomUserDetailsService implements UserDetailsService { @Autowired private UserRepository userRepository; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { User user = userRepository.findByUsername(username) .orElseThrow(() -> new UsernameNotFoundException("User not found")); return new org.springframework.security.core.userdetails.User( user.getUsername(), user.getPassword(), user.isEnabled(), true, true, true, getAuthorities(user.getRoles()) ); } private Collection<? extends GrantedAuthority> getAuthorities(List<String> roles) { return roles.stream() .map(SimpleGrantedAuthority::new) .collect(Collectors.toList()); } } // 用户实体 @Entity public class User { @Id @GeneratedValue(strategy = GenerationType.IDENTITY) private Long id; private String username; private String password; private boolean enabled; @ElementCollection private List<String> roles = new ArrayList<>(); // getters and setters }

刷新令牌

// 刷新令牌服务 @Service public class TokenRefreshService { @Autowired private OAuth2RestTemplate restTemplate; public OAuth2AccessToken refreshToken(String refreshToken) { OAuth2ClientContext clientContext = new DefaultOAuth2ClientContext(); ResourceOwnerPasswordResourceDetails resourceDetails = new ResourceOwnerPasswordResourceDetails(); resourceDetails.setClientId("client-id"); resourceDetails.setClientSecret("client-secret"); resourceDetails.setAccessTokenUri("http://localhost:8080/oauth/token"); resourceDetails.setRefreshToken(refreshToken); OAuth2AccessToken token = restTemplate.getOAuth2ClientContext().getAccessToken(); if (token.isExpired()) { token = restTemplate.getOAuth2ClientContext().getAccessToken(); } return token; } }

安全端点

// 用户信息端点 @RestController @RequestMapping("/userinfo") public class UserInfoController { @GetMapping public ResponseEntity<Map<String, Object>> getUserInfo(Principal principal) { Map<String, Object> userInfo = new HashMap<>(); userInfo.put("username", principal.getName()); userInfo.put("authorities", ((Authentication) principal).getAuthorities()); return ResponseEntity.ok(userInfo); } } // 健康检查端点 @RestController @RequestMapping("/health") public class HealthController { @GetMapping public ResponseEntity<Map<String, Object>> health() { return ResponseEntity.ok(Map.of("status", "UP")); } }