[TOC] # 流程图 ![](https://box.kancloud.cn/67d93f20bc068f1d15de6a341ee7ad2f_978x593.png) ## 效果图 ![](https://img.kancloud.cn/9f/cf/9fcf50e6f976a338abc4d79793716fb9_1920x1028.gif) ## 配置应用回调地址 ![](https://img.kancloud.cn/70/f1/70f14def5a3f147bfc42885462612b38_1671x707.png) ## auth-sso模块 使用之前的应用回调地址 ![](https://img.kancloud.cn/8f/71/8f71ad896c2eb0f41891f0e7b7c475ac_1303x406.png) ``` server: port: 9997 # context-path: /clientOne #2.0不再使用此方式配置 security: ignored: /,/favicon.ico,/home.html,/dashboard.html,/js/**,/css/**,/webjars/** sessions: ALWAYS user: password: 123456 oauth2: sso: login-path: /dashboard/login client: client-id: owen client-secret: owen user-authorization-uri: http://127.0.0.1:9200/api-auth/oauth/authorize #直接配置认证中心端口(http://127.0.0.1:9200/oauth/authorize),也可以配置网关端口 access-token-uri: http://127.0.0.1:9200/api-auth/oauth/token #直接配置认证中心端口(http://127.0.0.1:9200/oauth/authorize),也可以配置网关端口 resource: # user-info-uri: http://127.0.0.1:8000/auth/users #返回认证服务器检查 # prefer-token-info: false token-info-uri: http://127.0.0.1:9200/api-auth/oauth/check_token #直接配置认证中心端口(http://127.0.0.1:9200/oauth/authorize),也可以配置网关端口 prefer-token-info: true ``` ## 访问auth-sso后back-center中获取的令牌 ![](https://img.kancloud.cn/56/47/56474cf8972e4c8d8bd9e556a35e96e8_1914x649.png) ## 代码剖析 ### org.springframework.security.oauth2.client.filter.OAuth2ClientContextFilter 重定向 ``` protected void redirectUser(UserRedirectRequiredException e, HttpServletRequest request, HttpServletResponse response) throws IOException { String redirectUri = e.getRedirectUri(); UriComponentsBuilder builder = UriComponentsBuilder .fromHttpUrl(redirectUri); Map<String, String> requestParams = e.getRequestParams(); for (Map.Entry<String, String> param : requestParams.entrySet()) { builder.queryParam(param.getKey(), param.getValue()); } if (e.getStateKey() != null) { builder.queryParam("state", e.getStateKey()); } this.redirectStrategy.sendRedirect(request, response, builder.build() .encode().toUriString()); } ``` ### org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeAccessTokenProvider * 获取授权码 * 获取token ### CheckToken的目的 当用户携带token 请求资源服务器的资源时,**OAuth2AuthenticationProcessingFilter**拦截token,进行token 和userdetails 过程,把无状态的token 转化成用户信息。 ![](https://box.kancloud.cn/99dbcc024948c7e702de7c67932a5d34_920x493.png) ### 详解 1. OAuth2AuthenticationManager.authenticate(),filter执行判断的入口 ![](https://box.kancloud.cn/74db1bf14eadea9d24185ac8f89f5630_1269x737.png) 2. 当用户携带token 去请求微服务模块,被资源服务器拦截调用RemoteTokenServices.loadAuthentication ,执行所谓的check-token过程。 源码如下 ![](https://box.kancloud.cn/96a9b7cbd9114287e120268670d9739a_1195x507.png) 3. CheckToken 处理逻辑很简单,就是调用redisTokenStore 查询token的合法性,及其返回用户的部分信息 (username ) ![](https://box.kancloud.cn/50d167df2fddec7a2ef021d98ee01f3d_1293x665.png) 4. 继续看 返回给 RemoteTokenServices.loadAuthentication 最后一句 tokenConverter.extractAuthentication 解析组装服务端返回的信息 ![](https://box.kancloud.cn/d5484017859b8f5fbbbc0938deb75885_1320x576.png) 最重要的 userTokenConverter.extractAuthentication(map); ![](https://box.kancloud.cn/27101544ac168fedf70445ed6dd682a8_1328x465.png) 5,继续看 UerDetailsServiceImpl.loadUserByUsername 根据用户名去换取用户全部信息。 ![](https://box.kancloud.cn/ecefb4bf94a97fd399950ce608aca123_1315x727.png) ## 传统项目集成sso资料 链接:https://pan.baidu.com/s/1dr7jDDPodJ9r-GO4S_pCnQ  提取码:3wat ### 授权码 AuthCodeInvoker使用演示 ![](https://box.kancloud.cn/228979149b36a6449f0f6ac365b595d7_1922x950.gif) ## spring security 5以后全新方式集成sso ![](https://img.kancloud.cn/17/ed/17ed58b726d75dafec81c60053416e4c_1752x802.png) spring boot部分已经改造完毕,可以使用以下方式拥抱全新的api ##### sso 依赖 ``` <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-oauth2-client</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> ``` ##### 资源服务器依赖 ``` <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-oauth2-resource-server</artifactId> </dependency> ``` #### 首页 ![](https://img.kancloud.cn/88/0e/880e45f7c23958116168426a8ebe7d30_2557x647.png) #### 认证中心 ![](https://img.kancloud.cn/b5/62/b5629ff81edb89813fdd0a52d7f36bef_2560x804.png) #### 认证成功 ![](https://img.kancloud.cn/d3/e8/d3e86dd12210cf598e74a9eca3ef42b1_2557x629.png) #### maven依赖 ![](https://img.kancloud.cn/94/67/94670a827de6f438168dfa0d99b8dc7a_1955x775.png) #### 代码改造 ![](https://img.kancloud.cn/4a/9a/4a9a9026da54bfe46baa94e0b6779721_1977x810.png) #### 配置 ![](https://img.kancloud.cn/74/02/74025f1590c5a61e7244e9507170860c_2022x848.png) **OAuth2LoginAuthenticationFilter**过滤器进行处理。部分源码如下: ~~~ public class OAuth2LoginAuthenticationFilter extends AbstractAuthenticationProcessingFilter { public static final String DEFAULT_FILTER_PROCESSES_URI = "/login/oauth2/code/*"; private static final String AUTHORIZATION_REQUEST_NOT_FOUND_ERROR_CODE = "authorization_request_not_found"; private static final String CLIENT_REGISTRATION_NOT_FOUND_ERROR_CODE = "client_registration_not_found"; private ClientRegistrationRepository clientRegistrationRepository; private OAuth2AuthorizedClientRepository authorizedClientRepository; private AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository = new HttpSessionOAuth2AuthorizationRequestRepository(); public OAuth2LoginAuthenticationFilter(ClientRegistrationRepository clientRegistrationRepository, OAuth2AuthorizedClientService authorizedClientService) { this(clientRegistrationRepository, authorizedClientService, DEFAULT_FILTER_PROCESSES_URI); } // .... } ~~~