Spring Security OAuth 默認提供OAuth2.0 的四大基本授權方式(authorization_code\implicit\password\client_credential),除此之外我們也能夠自定義授權方式。
先了解一下Spring Security OAuth提供的兩個默認 Endpoints,一個是AuthorizationEndpoint,這個是僅用于授權碼(authorization_code)和簡化(implicit)模式的。另外一個是TokenEndpoint,用于OAuth2授權時下發Token,根據授予類型(GrantType)的不同而執行不同的驗證方式。
OAuth2協議這里就不做過多介紹了,比較重要的一點是理解認證中各個角色的作用,以及認證的目的(獲取用戶信息或是具備使用API的權限)。例如在authorization_code模式下,用戶(User)在認證服務的網站上進行登錄,網站跳轉回第三方應用(Client),第三方應用通過Secret和Code換取Token后向資源服務請求用戶信息;而在client_credential模式下,第三方應用通過Secret直接獲得Token后可以直接利用其訪問資源API。所以我們應該根據實際的情景選擇適合的認證模式。
對于手機驗證碼的認證模式,我們首先提出短信驗證的通常需求:
- 每發一次驗證碼只能嘗試驗證5次,防止暴力破解
- 限制驗證碼發送頻率,單個用戶(這里簡單使用手機號區分)1分鐘1條,24小時x條
- 限制驗證碼有效期,15分鐘
我們根據業務需求構造出對應的模型:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
@Datapublic class SmsVerificationModel { /** * 手機號 */ private String phoneNumber; /** * 驗證碼 */ private String captcha; /** * 本次驗證碼驗證失敗次數,防止暴力嘗試 */ private Integer failCount; /** * 該user當日嘗試次數,防止濫發短信 */ private Integer dailyCount; /** * 限制短信發送頻率和實現驗證碼有效期 */ private Date lastSentTime; /** * 是否驗證成功 */ private Boolean verified = false;} |
我們預想的認證流程:
接下來要對Spring Security OAuth進行定制,這里直接仿照一個比較相似的password模式,首先需要編寫一個新的TokenGranter,處理sms類型下的TokenRequest,這個SmsTokenGranter會生成SmsAuthenticationToken,并將AuthenticationToken交由SmsAuthenticationProvider進行驗證,驗證成功后生成通過驗證的SmsAuthenticationToken,完成Token的頒發。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
public class SmsTokenGranter extends AbstractTokenGranter { private static final String GRANT_TYPE = "sms"; private final AuthenticationManager authenticationManager; public SmsTokenGranter(AuthenticationManager authenticationManager, AuthorizationServerTokenServices tokenServices, ClientDetailsService clientDetailsService, OAuth2RequestFactory requestFactory){ super(tokenServices, clientDetailsService, requestFactory, GRANT_TYPE); this.authenticationManager = authenticationManager; } @Override protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, TokenRequest tokenRequest) { Map<String, String> parameters = new LinkedHashMap<>(tokenRequest.getRequestParameters()); String phone = parameters.get("phone"); String code = parameters.get("code"); Authentication userAuth = new SmsAuthenticationToken(phone, code); try { userAuth = authenticationManager.authenticate(userAuth); } catch (AccountStatusException ase) { throw new InvalidGrantException(ase.getMessage()); } catch (BadCredentialsException e) { throw new InvalidGrantException(e.getMessage()); } if (userAuth == null || !userAuth.isAuthenticated()) { throw new InvalidGrantException("Could not authenticate user: " + username); } OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest); return new OAuth2Authentication(storedOAuth2Request, userAuth); }} |
對應的SmsAuthenticationToken,其中一個構造方法是認證后的。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
public class SmsAuthenticationToken extends AbstractAuthenticationToken { private final Object principal; private Object credentials; public SmsAuthenticationToken(Object principal, Object credentials) { super(null); this.credentials = credentials; this.principal = principal; } public SmsAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) { super(authorities); this.principal = principal; this.credentials = credentials; // 表示已經認證 super.setAuthenticated(true); } ...} |
SmsAuthenticationProvider是仿照AbstractUserDetailsAuthenticationProvider編寫的,這里僅僅列出核心部分。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
public class SmsAuthenticationProvider implements AuthenticationProvider { @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { String username = authentication.getName(); UserDetails user = retrieveUser(username); preAuthenticationChecks.check(user); String phoneNumber = authentication.getPrincipal().toString(); String code = authentication.getCredentials().toString(); // 嘗試從Redis中取出Model SmsVerificationModel verificationModel = Optional.ofNullable( redisService.get(SMS_REDIS_PREFIX + phoneNumber, SmsVerificationModel.class)) .orElseThrow(() -> new BusinessException(OAuthError.SMS_VERIFY_BEFORE_SEND)); // 判斷短信驗證次數 Optional.of(verificationModel).filter(x -> x.getFailCount() < SMS_VERIFY_FAIL_MAX_TIMES) .orElseThrow(() -> new BusinessException(OAuthError.SMS_VERIFY_COUNT_EXCEED)); Optional.of(verificationModel).map(SmsVerificationModel::getLastSentTime) // 驗證碼發送15分鐘內有效,等價于發送時間加上15分鐘晚于當下 .filter(x -> DateUtils.addMinutes(x,15).after(new Date())) .orElseThrow(() -> new BusinessException(OAuthError.SMS_CODE_EXPIRED)); verificationModel.setVerified(Objects.equals(code, verificationModel.getCaptcha())); verificationModel.setFailCount(verificationModel.getFailCount() + 1); redisService.set(SMS_REDIS_PREFIX + phoneNumber, verificationModel, 1, TimeUnit.DAYS); if(!verificationModel.getVerified()){ throw new BusinessException(OAuthError.SmsCodeWrong); } postAuthenticationChecks.check(user); return createSuccessAuthentication(user, authentication, user); } ... |
接下來要通過配置啟用我們定制的類,首先配置AuthorizationServerEndpointsConfigurer,添加上我們的TokenGranter,然后是AuthenticationManagerBuilder,添加我們的AuthenticationProvider。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
@Configuration@EnableAuthorizationServerpublic class OAuth2Config extends AuthorizationServerConfigurerAdapter { @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { security .passwordEncoder(passwordEncoder) .checkTokenAccess("isAuthenticated()") .tokenKeyAccess("permitAll()") // 允許使用Query字段驗證客戶端,即client_id/client_secret 能夠放在查詢參數中 .allowFormAuthenticationForClients(); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager) .userDetailsService(userDetailsService) .tokenStore(tokenStore); List<TokenGranter> tokenGranters = new ArrayList<>(); tokenGranters.add(new AuthorizationCodeTokenGranter(endpoints.getTokenServices(), endpoints.getAuthorizationCodeServices(), clientDetailsService, endpoints.getOAuth2RequestFactory())); ... tokenGranters.add(new SmsTokenGranter(authenticationManager, endpoints.getTokenServices(), clientDetailsService, endpoints.getOAuth2RequestFactory())); endpoints.tokenGranter(new CompositeTokenGranter(tokenGranters)); }} |
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
@EnableWebSecurity@Configurationpublic class SecurityConfig extends WebSecurityConfigurerAdapter { ... @Override protected void configure(AuthenticationManagerBuilder auth) { auth.authenticationProvider(daoAuthenticationProvider()); } @Bean public AuthenticationProvider smsAuthenticationProvider(){ SmsAuthenticationProvider smsAuthenticationProvider = new SmsAuthenticationProvider(); smsAuthenticationProvider.setUserDetailsService(userDetailsService); smsAuthenticationProvider.setSmsAuthService(smsAuthService); return smsAuthenticationProvider; }} |
那么短信驗證碼授權的部分就到這里了,最后還有一個發送短信的接口,這里就不展示了。
最后測試一下,curl --location --request POST 'http://localhost:8080/oauth/token?grant_type=sms&client_id=XXX&phone=手機號&code=驗證碼' ,成功。
|
1
2
3
4
5
6
|
{ "access_token": "39bafa9a-7e5b-4ba4-9eda-e307ac98aad1", "token_type": "bearer", "expires_in": 3599, "scope": "ALL"} |
到此這篇關于Spring Security OAuth 自定義授權方式實現手機驗證碼的文章就介紹到這了,更多相關Spring Security OAuth手機驗證碼內容請搜索服務器之家以前的文章或繼續瀏覽下面的相關文章希望大家以后多多支持服務器之家!
原文鏈接:https://juejin.cn/post/6923568301939359752
