一、场景

三个角色：用户(user)，web应用(client)，资源服务器和授权服务器合为服务器(server)

用户登录登录后可查看自己的信息

二、准备

2.1 数据库

schema

drop table if exists oauth2_client;
drop table if exists oauth2_user;

create table oauth2_user (
  id bigint auto_increment,
  username varchar(100),
  password varchar(100),
  salt varchar(100),
  constraint pk_oauth2_user primary key(id)
) charset=utf8 ENGINE=InnoDB;
create unique index idx_oauth2_user_username on oauth2_user(username);

create table oauth2_client (
  id bigint auto_increment,
  client_name varchar(100),
  client_id varchar(100),
  client_secret varchar(100),
  constraint pk_oauth2_client primary key(id)
) charset=utf8 ENGINE=InnoDB;
create index idx_oauth2_client_client_id on oauth2_client(client_id);

data

DELIMITER ;
delete from oauth2_user;
delete from oauth2_client;

insert into oauth2_user values(1,'admin','d3c59d25033dbf980d29554025c23a75','8d78869f470951332959580424d4bf4f');
insert into oauth2_client values(1,'chapter17-client','c1ebe466-1cdc-4bd3-ab69-77c3561b9dee','d8346ea2-6017-43ed-ad68-19c0f971738b');

2.2 Server

zetark-oauth2-server

修改数据库链接 resources.properties

#dataSource configure
connection.url=jdbc:mysql://mysql-server:3306/shiro
connection.username=r00t
connection.password=r00t

2.3 Client

zetark-oauth2-client

三、过程分析

image

1）2）用户访问client首页，检测到用户未登录，重定向到login

image

3）4）点击授权登录，输入admin/123456后点击登录并授权按钮

image

image

// 3)授权请求  http://localhost:8080/zetark-oauth2-server/oauth2login
if (!isLogin && servletPath.startsWith("/login_authorize")) {
    String authorizeUrl = ClientParams.OAUTH_SERVER_AUTHORIZE_URL;
    authorizeUrl += "?client_id=c1ebe466-1cdc-4bd3-ab69-77c3561b9dee";
    authorizeUrl += "&response_type=code";
    authorizeUrl += "&&redirect_uri=" + ClientParams.OAUTH_SERVER_REDIRECT_URI;
    response.sendRedirect(authorizeUrl);
    return;
}
// 4)授权响应
if (!isLogin && servletPath.startsWith("/login_response")) {
    String code = request.getParameter("code");
    if (code != null) {
        
        // 6)7)令牌请求及响应 http://localhost:8080/zetark-oauth2-server/accessToken
        OAuthAccessTokenResponse tokenResponse = null;
        try {
            tokenResponse = OauthClient.makeTokenRequestWithAuthCode(code);
        } catch (OAuthProblemException e) {
            e.printStackTrace();
        } catch (OAuthSystemException e) {
            e.printStackTrace();
        }
        if (tokenResponse != null) {
            session.setAttribute("isLogin", true);
            session.setAttribute("token", tokenResponse.getAccessToken());
            session.setMaxInactiveInterval(tokenResponse.getExpiresIn().intValue());
            // 10)11) 根据token调用api
             String userInfoJson = OauthClient.getAuthedService(tokenResponse.getAccessToken());
            Map<String, Object> userInfo = new Gson().fromJson(userInfoJson, Map.class);
            System.out.println(userInfo);
            session.setAttribute("user", userInfo);
            response.sendRedirect("index");
            return;
        }
    } else {
        String errorDesc = request.getParameter("error_description");
        System.out.println("登录失败:" + errorDesc);
    }
}

访问过程

image

client_uri:/
client_uri:/login
# 用户访问client首页/，由于未登录被重定向到/login页面

client_uri:/login_authorize
server_uri:/oauth2login
# 用户在/login页面点击授权登录后，向server发起授权请求，server返回登录页面/oauth2login

server_uri:/authorize
client_uri:/login_response
# 用户在/oauth2login填写用户名密码后点击授权登录后，server验证后重定向到/login_resposne

server_uri:/accessToken
server_uri:/checkAccessToken
# client在处理/login_response时接收code并再发起令牌请求，server返回令牌

server_uri:/v1/openapi/userInfo
# client根据令牌信息请求api服务

client_uri:/index
# 向用户返回/index页面

四、参考

https://github.com/ameizi/oltu-oauth2-example