目的說明
解決不同客戶端使用token
,各個客戶端的登錄狀態必須保持一致,退出狀態實現一致。同上述問題類似如何解決不同租戶相同用戶名的人員的登錄狀態問題。
默認的DefaultTokenServices 創建邏輯
@Transactional
public OAuth2AccessToken createAccessToken(OAuth2Authentication authentication) throws AuthenticationException {
// 1. 判斷是否存在Token
OAuth2AccessToken existingAccessToken = tokenStore.getAccessToken(authentication);
OAuth2RefreshToken refreshToken = null;
if (existingAccessToken != null) {
if (existingAccessToken.isExpired()) {
if (existingAccessToken.getRefreshToken() != null) {
refreshToken = existingAccessToken.getRefreshToken();
tokenStore.removeRefreshToken(refreshToken);
}
tokenStore.removeAccessToken(existingAccessToken);
}
else {
tokenStore.storeAccessToken(existingAccessToken, authentication);
return existingAccessToken;
}
}
// 2. 創建新token
OAuth2AccessToken accessToken = createAccessToken(authentication, refreshToken);
tokenStore.storeAccessToken(accessToken, authentication);
// In case it was modified
refreshToken = accessToken.getRefreshToken();
if (refreshToken != null) {
tokenStore.storeRefreshToken(refreshToken, authentication);
}
return accessToken;
}
判斷當前用戶是否存在token
我們來看 RedisTokenStore
的默認邏輯,注意Token key 的生成邏輯
OAuth2AccessToken existingAccessToken = tokenStore.getAccessToken(authentication);
@Override
public OAuth2AccessToken getAccessToken(OAuth2Authentication authentication) {
// 構造 默認保存的
String key = authenticationKeyGenerator.extractKey(authentication);
// key 加上前綴
byte[] serializedKey = serializeKey(AUTH_TO_ACCESS + key);
byte[] bytes = null;
RedisConnection conn = getConnection();
try {
bytes = conn.get(serializedKey);
} finally {
conn.close();
}
OAuth2AccessToken accessToken = deserializeAccessToken(bytes);
if (accessToken != null) {
OAuth2Authentication storedAuthentication = readAuthentication(accessToken.getValue());
if ((storedAuthentication == null || !key.equals(authenticationKeyGenerator.extractKey(storedAuthentication)))) {
storeAccessToken(accessToken, authentication);
}
}
return accessToken;
}
DefaultAuthenticationKeyGenerator拼接key
- 主要參考一下 當前用戶的
username
clientId
scope
,這樣導致不同客戶端的token 不一致,某個客戶端退出不會影響其他客戶端
public String extractKey(OAuth2Authentication authentication) {
Map<String, String> values = new LinkedHashMap<String, String>();
OAuth2Request authorizationRequest = authentication.getOAuth2Request();
if (!authentication.isClientOnly()) {
values.put(USERNAME, authentication.getName());
}
values.put(CLIENT_ID, authorizationRequest.getClientId());
if (authorizationRequest.getScope() != null) {
values.put(SCOPE, OAuth2Utils.formatParameterList(new TreeSet<String>(authorizationRequest.getScope())));
}
return generateKey(values);
}
重寫token key 的生成規則
public class PigxAuthenticationKeyGenerator extends DefaultAuthenticationKeyGenerator {
private static final String SCOPE = "scope";
private static final String USERNAME = "username";
@Override
public String extractKey(OAuth2Authentication authentication) {
Map<String, String> values = new LinkedHashMap<String, String>();
OAuth2Request authorizationRequest = authentication.getOAuth2Request();
if (!authentication.isClientOnly()) {
values.put(USERNAME, authentication.getName());
}
if (authorizationRequest.getScope() != null) {
values.put(SCOPE, OAuth2Utils.formatParameterList(new TreeSet<String>(authorizationRequest.getScope())));
}
// 如果是多租戶系統,這裏要區分租戶ID 條件
return generateKey(values);
}
}
注入tokenstroe 即可實現如上效果
@Bean
public TokenStore tokenStore() {
RedisTokenStore tokenStore = new RedisTokenStore(redisConnectionFactory);
tokenStore.setPrefix(SecurityConstants.PIGX_PREFIX + SecurityConstants.OAUTH_PREFIX);
tokenStore.setAuthenticationKeyGenerator(new PigxAuthenticationKeyGenerator());
return tokenStore;
}
總結
- 更多關於oauth2 擴展方面歡迎翻我的博客https://my.oschina.net/giegie
- 配套實踐項目歡迎關注 基於Spring Boot 2.1.7、 Spring Cloud Greenwich.SR2、 OAuth2 的RBAC 權限管理系統