[TOC] # 流程图  ## 效果图  ## 配置应用回调地址  ## auth-sso模块 使用之前的应用回调地址  ``` server: port: 9997 # context-path: /clientOne #2.0不再使用此方式配置 security: ignored: /,/favicon.ico,/home.html,/dashboard.html,/js/**,/css/**,/webjars/** sessions: ALWAYS user: password: 123456 oauth2: sso: login-path: /dashboard/login client: client-id: owen client-secret: owen user-authorization-uri: http://127.0.0.1:9200/api-auth/oauth/authorize #直接配置认证中心端口(http://127.0.0.1:9200/oauth/authorize)，也可以配置网关端口 access-token-uri: http://127.0.0.1:9200/api-auth/oauth/token #直接配置认证中心端口(http://127.0.0.1:9200/oauth/authorize)，也可以配置网关端口 resource: # user-info-uri: http://127.0.0.1:8000/auth/users #返回认证服务器检查 # prefer-token-info: false token-info-uri: http://127.0.0.1:9200/api-auth/oauth/check_token #直接配置认证中心端口(http://127.0.0.1:9200/oauth/authorize)，也可以配置网关端口 prefer-token-info: true ``` ## 访问auth-sso后back-center中获取的令牌  ## 代码剖析 ### org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter 重定向 ``` protected void redirectUser(UserRedirectRequiredException e, HttpServletRequest request, HttpServletResponse response) throws IOException { String redirectUri = e.getRedirectUri(); UriComponentsBuilder builder = UriComponentsBuilder .fromHttpUrl(redirectUri); Map<String, String> requestParams = e.getRequestParams(); for (Map.Entry<String, String> param : requestParams.entrySet()) { builder.queryParam(param.getKey(), param.getValue()); } if (e.getStateKey() != null) { builder.queryParam("state", e.getStateKey()); } this.redirectStrategy.sendRedirect(request, response, builder.build() .encode().toUriString()); } ``` ### org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider * 获取授权码 * 获取token ### CheckToken的目的 当用户携带token 请求资源服务器的资源时,**OAuth2AuthenticationProcessingFilter**拦截token，进行token 和userdetails 过程，把无状态的token 转化成用户信息。  ### 详解 1. OAuth2AuthenticationManager.authenticate()，filter执行判断的入口  2. 当用户携带token 去请求微服务模块，被资源服务器拦截调用RemoteTokenServices.loadAuthentication ,执行所谓的check-token过程。 源码如下  3. CheckToken 处理逻辑很简单，就是调用redisTokenStore 查询token的合法性，及其返回用户的部分信息 （username ）  4. 继续看 返回给 RemoteTokenServices.loadAuthentication 最后一句 tokenConverter.extractAuthentication 解析组装服务端返回的信息  最重要的 userTokenConverter.extractAuthentication(map);  5，继续看 UerDetailsServiceImpl.loadUserByUsername 根据用户名去换取用户全部信息。  ## 传统项目集成sso资料 链接：https://pan.baidu.com/s/1dr7jDDPodJ9r-GO4S_pCnQ  提取码：3wat ### 授权码 AuthCodeInvoker使用演示  ## spring security 5以后全新方式集成sso  spring boot部分已经改造完毕，可以使用以下方式拥抱全新的api ##### sso 依赖 ``` <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-oauth2-client</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> ``` ##### 资源服务器依赖 ``` <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-oauth2-resource-server</artifactId> </dependency> ``` #### 首页  #### 认证中心  #### 认证成功  #### maven依赖  #### 代码改造  #### 配置  **OAuth2LoginAuthenticationFilter**过滤器进行处理。部分源码如下： ~~~ public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProcessingFilter { public static final String DEFAULT_FILTER_PROCESSES_URI = "/login/oauth2/code/*"; private static final String AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE = "authorization_request_not_found"; private static final String CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE = "client_registration_not_found"; private ClientRegistrationRepository clientRegistrationRepository; private OAuth2AuthorizedClientRepository authorizedClientRepository; private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository = new HttpSessionOAuth2AuthorizationRequestRepository(); public OAuth2LoginAuthenticationFilter(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientService authorizedClientService) { this(clientRegistrationRepository, authorizedClientService, DEFAULT_FILTER_PROCESSES_URI); } // .... } ~~~