Third party authentication -outh2 principle and analysis

Posted by $0.05$ on Tue, 23 Nov 2021 06:20:14 +0100

I read a lot of articles about outh2 application, and the introduction is rather obscure and difficult to understand. At the same time, there is no actual case description,
Next, I will explain with a simple case of security+outh2 and explain why this implementation method is the best through the wechat authentication process.

1. Security implements Outh2 login

1.1 project environment construction and description
  • Build springboot project and introduce dependency
 		<!-- for Spring Security -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

        <!-- for OAuth 2.0 -->
        <dependency>
            <groupId>org.springframework.security.oauth</groupId>
            <artifactId>spring-security-oauth2</artifactId>
        </dependency>
  • My site resources

By default, access will be blocked by security login. Enter configuration information to access interface resources

@RestController
@RequestMapping("/api")
public class ExampleController {

    @RequestMapping("/hello")
    public String hello() {
        return "world";
    }

}

User information configuration:

security.user.name=lonk
security.user.password=lonk
  • Restrict resource access

To access resources only after logging in through outh2, we need to restrict resource access. We configure a resource server

@Configuration 
@EnableResourceServer
public class OAuth2ResourceServer extends ResourceServerConfigurerAdapter {


    /***
     *  Configure access rights
     *
     * @param http
     * @throws Exception
     */
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest()
                .authenticated()
                .and()
                .requestMatchers()
                .antMatchers("/api/**"); 
                // Turn on authentication for "/ api / * *"
    }

}

After configuration, the access interface will be blocked

  • Authorization server

The authorization server is similar to the third-party authentication and provides an authorization information; At this time, the overall environment of the project is set up. The specific certification process is explained below.

@Configuration
@EnableAuthorizationServer
public class OAuth2AuthorizationServer extends AuthorizationServerConfigurerAdapter {

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("client_app_id")
                .secret("pwd123456") 
                .redirectUris("http://localhost:8080/callback")
                .authorizedGrantTypes("authorization_code") // Authorization code mode
                .scopes("read_userinfo") // Licensable Scope
                ;
    }

}
1.2 verification code mode authentication process
  • Obtain authorization code

1. Browser access: http://localhost:8080/oauth/authorize?
client_id=client_app_id&
redirect_uri=http://localhost:8080/callback&
response_type=code&
scope=read_userinfo
2. If blocked, enter the security configuration username and password
3. If the verification is successful, it will be redirected to: http://localhost:8080/callback?code=sSGEXP , the code value is the authorization code.

  • Get access token
{
    "access_token": "30bf2637-4e41-4891-a0c0-ffeb8b50ed7a",
    "token_type": "bearer",
    "expires_in": 43199,
    "scope": "read_userinfo"
}

  • Using token to access restricted interfaces

2. Certification process analysis

Take the example of logging into Netease music with wechat account, and follow the steps below:

2.1 registration information of Netease on wechat

If the Netease platform wants to obtain the information of wechat users, wechat will require to register an application on its platform first, indicate the permissions to obtain user information when applying, and fill in your website domain name when applying. Wechat is only allowed to obtain user information in this domain name.

After passing the audit, you will get:

  • Client Id
  • Client Secret

Wechat - website application development

2.2 negotiation between users and wechat

When the user enters Netease, click the wechat login button, and Netease will give the Client Id issued by wechat to the user,
Let him enter the wechat authorization interface:

If the user agrees, after clicking confirm authorization on the authorization page, the page will jump to the pre-set authorization page of Netease
redirect_uri with an authorization code

2.3 Netease access to wechat

Netease has obtained the authorization code, but this code can only indicate that the user allows Netease to obtain the user's data from wechat. If other platforms use this code to access the user's data on wechat, it will be rejected, because any platform can hold the code, and wechat does not know who the code holder is.

At this time, Netease uses the code authorized by the user and Netease's client_id,client_secret goes to visit wechat and gets the final access_token.

2.4 users start listening to music on Netease with wechat account

Netease has access_token, through the API provided by wechat, you can access the user's information and obtain the user's permissions, which are limited by scope.

reference resources: https://blog.csdn.net/qq_40437152/article/details/84303104

Topics: Spring Boot security