Explain in detail how to use spring security OAuth to implement OAuth 2.0 authorization

OAuth 2.0 is an industrial level authorization protocol. OAuth 2.0 is inherited from OAuth 1.0, which was created in 2006. OAuth 2.0 is committed to helping developers simplify authorization and provide specific authorization processes for web applications, desktop applications, mobile applications and embedded applications.

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications,desktop applications,mobile phones,and living room devices.

Four roles of OAuth 2.0

in order to  For easy understanding, take the commonly used wechat login as an example

Resource Owner

The resource owner corresponds to each user of wechat. The personal information set on wechat belongs to each user, not Tencent.

Resource Server

The resource server is generally the rest API for some operations (addition, deletion, modification and query) of user data, such as the wechat interface for obtaining basic user information.

Client Application

Third party  The client side compares WeChat with the development of various WeChat official account numbers. After third party authentication, the REST server of the resource server can be accessed by the authorized server to get the basic information of the user's head, gender, area, and so on. The API server is authorized by the authentication server.

Authorization Server

The authentication server verifies whether the third-party client is legal. If it is legal, issue a token to the client, and the third party calls the API of the resource server through the token.

Four authorization methods (grant type)

anthorization_ code

Authorization code type, applicable to web server application. The mode is as follows: the client first calls / OAuth / authorize / to enter the user authorization interface, the user returns code after authorization, and the client obtains access token according to code and appsecret.

Implicit simplifies the type, and there are fewer steps to obtain the authorization code than the authorization code type. After the client application is authorized, the authentication server will directly put the access token in the URL of the client. The client parses the URL to get the token. In fact, this method is not very secure. You can reduce the risk through HTTPS secure channel and shorten the effective time of access token.

password

Password type. The client application obtains the access token through the user's username and password. It is applicable to the resource server. The authentication server has a complete trust relationship with the client, because the user needs to send the user's user name and password directly to the client application. The client application obtains the token through the user name and password sent by the user, and then accesses the resources of the resource server. For example, Alipay can login directly with Taobao username and password, because they belong to the same company and trust each other fully.

client_ credentials

Client type is a method that does not require user participation and is used for docking between different services. For example, self-developed applications need to call the services of SMS verification code service providers, map service providers and mobile message push service providers. When you need to call a service, you can directly use the appid and appsecret given by the service provider to obtain the token. After obtaining the token, you can call the service directly.

Other concepts

realization

Sometimes the resource server and the authentication server are two different applications. Sometimes the resource server and the authentication server are in the same application. The difference is whether the resource server needs to check the validity of the token. The former needs to check and the latter does not. The latter is implemented here.

Security configuration of application

Authentication server configuration

Resource server configuration

Resource server filter order settings

Need to be in application Set filter order to 3 in YML. Refer to the link for specific reasons