✨ Spring OAuth2

Author: twelvet-s

twelvet-auth/src/main/java/com/twelvet/auth/config/AuthorizationServerConfiguration.java

@@ -88,9 +88,21 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
 
 		DefaultSecurityFilterChain securityFilterChain = http.authorizeHttpRequests(authorizeRequests -> {
 			// 自定义接口、端点暴露
-			authorizeRequests
-				.requestMatchers("/api/token/*", "/token/**", "/actuator/**", "/assets/**", "/error", "/v3/api-docs",
-						"/login/oauth2/**")
+			authorizeRequests.requestMatchers(
+					// Swagger
+					"/v3/api-docs",
+					// 监控
+					"/actuator/**",
+					// 资源
+					"/assets/**",
+					// 错误信息
+					"/error",
+					// OAuth2
+					"/token/**",
+					// 第三方授权OAuth2
+					"/login/oauth2/**",
+					// api相关，token管理
+					"/api/token/*")
 				.permitAll();
 			authorizeRequests.anyRequest().authenticated();
 		}).build();

twelvet-auth/src/main/java/com/twelvet/auth/controller/Oauth2AuthController.java

@@ -11,10 +11,7 @@
 import io.swagger.v3.oas.annotations.tags.Tag;
 import me.zhyd.oauth.model.AuthCallback;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.bind.annotation.*;
 
 /**
  * <p>
@@ -23,7 +20,6 @@
  *
  * @since 2025/1/16
  */
-@AuthIgnore(value = false)
 @Tag(description = "Oauth2AuthController", name = "OAuth2登录优化管理")
 @RestController
 @RequestMapping("/login/oauth2")
@@ -34,18 +30,12 @@ public class Oauth2AuthController extends TWTController {
 
 	/**
 	 * 获取登录地址
-	 * @return
+	 * @return String
 	 */
 	@Operation(summary = "获取登录地址")
 	@GetMapping("/{oauthCode}")
 	public JsonResult<String> getAuthorize(@PathVariable String oauthCode) {
 		return JsonResult.success(oauthCode, oauth2AuthService.getAuthorize(oauthCode));
 	}
 
-	@Operation(summary = "测试回调")
-	@GetMapping("/code/{oauthCode}")
-	public JsonResult<AuthCallback> login(@PathVariable String oauthCode, AuthCallback callback) {
-		return JsonResult.success(callback);
-	}
-
 }

twelvet-auth/src/main/java/com/twelvet/auth/controller/TWTTokenEndpoint.java

@@ -13,7 +13,9 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.servlet.http.HttpServletResponse;
+import org.checkerframework.checker.units.qual.A;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.cache.Cache;
 import org.springframework.cache.CacheManager;
 import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.http.HttpHeaders;
@@ -39,10 +41,7 @@
 import org.springframework.web.servlet.ModelAndView;
 
 import java.security.Principal;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
 
 /**
  * @author twelvet
@@ -169,6 +168,9 @@ public void checkToken(String token, HttpServletResponse response) {
 	@DeleteMapping("/{token}")
 	public AjaxResult removeToken(@PathVariable("token") String token) {
 		OAuth2Authorization authorization = authorizationService.findByToken(token, OAuth2TokenType.ACCESS_TOKEN);
+		if (Objects.isNull(authorization)) {
+			return AjaxResult.success();
+		}
 		OAuth2Authorization.Token<OAuth2AccessToken> accessToken = authorization.getAccessToken();
 		if (accessToken == null || StrUtil.isBlank(accessToken.getToken().getTokenValue())) {
 			return AjaxResult.success();
@@ -179,8 +181,12 @@ public AjaxResult removeToken(@PathVariable("token") String token) {
 		 * https://docs.spring.io/spring-framework/docs/6.1.x/javadoc-api/org/
 		 * springframework/cache/Cache.html
 		 */
-		cacheManager.getCache(CacheConstants.USER_DETAILS).evictIfPresent(authorization.getPrincipalName());
-		// 清空access token
+		Cache cache = cacheManager.getCache(CacheConstants.USER_DETAILS);
+		if (Objects.isNull(cache)) {
+			return AjaxResult.success();
+		}
+		cache.evictIfPresent(authorization.getPrincipalName());
+		// 清空access token，会连带refresh token一起清空
 		authorizationService.remove(authorization);
 		// 处理自定义退出事件，保存相关日志
 		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

twelvet-auth/src/main/java/com/twelvet/auth/controller/api/TokenEndpointApi.java

@@ -15,6 +15,7 @@
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.cache.Cache;
 import org.springframework.cache.CacheManager;
 import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.security.authentication.event.LogoutSuccessEvent;
@@ -29,6 +30,7 @@
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
+import java.util.Objects;
 import java.util.Set;
 import java.util.stream.Collectors;
 
@@ -58,10 +60,12 @@ public class TokenEndpointApi {
 	 * @return R<Void>
 	 */
 	@Operation(summary = "删除token")
-	@AuthIgnore
 	@DeleteMapping("/{token}")
 	public R<Void> removeToken(@PathVariable("token") String token) {
 		OAuth2Authorization authorization = authorizationService.findByToken(token, OAuth2TokenType.ACCESS_TOKEN);
+		if (Objects.isNull(authorization)) {
+			return R.ok();
+		}
 		OAuth2Authorization.Token<OAuth2AccessToken> accessToken = authorization.getAccessToken();
 		if (accessToken == null || StrUtil.isBlank(accessToken.getToken().getTokenValue())) {
 			return R.ok();
@@ -72,7 +76,11 @@ public R<Void> removeToken(@PathVariable("token") String token) {
 		 * https://docs.spring.io/spring-framework/docs/6.1.x/javadoc-api/org/
 		 * springframework/cache/Cache.html
 		 */
-		cacheManager.getCache(CacheConstants.USER_DETAILS).evictIfPresent(authorization.getPrincipalName());
+		Cache cache = cacheManager.getCache(CacheConstants.USER_DETAILS);
+		if (Objects.isNull(cache)) {
+			return R.ok();
+		}
+		cache.evictIfPresent(authorization.getPrincipalName());
 		// 清空access token
 		authorizationService.remove(authorization);
 		// 处理自定义退出事件，保存相关日志
@@ -88,7 +96,6 @@ public R<Void> removeToken(@PathVariable("token") String token) {
 	 * @return R<TableDataInfo>
 	 */
 	@Operation(summary = "分页token 信息")
-	@AuthIgnore
 	@GetMapping("/pageQuery")
 	public R<TableDataInfo<TokenVo>> tokenList(TokenDTO tokenDTO) {
 		String username = tokenDTO.getUsername();

twelvet/twelvet-framework/twelvet-framework-redis/src/main/java/com/twelvet/framework/redis/service/constants/CacheConstants.java

@@ -7,10 +7,15 @@
  */
 public interface CacheConstants {
 
+	/**
+	 * 授权安全token前缀
+	 */
+	String AUTHORIZATION = "twelvet_token";
+
 	/**
 	 * oauth 缓存前缀
 	 */
-	String PROJECT_OAUTH_ACCESS = "token::access_token";
+	String PROJECT_OAUTH_ACCESS = AUTHORIZATION + "::access_token";
 
 	/**
 	 * oauth 客户端信息

twelvet/twelvet-framework/twelvet-framework-security/src/main/java/com/twelvet/framework/security/constants/Oauth2ClientEnums.java

@@ -1,5 +1,7 @@
 package com.twelvet.framework.security.constants;
 
+import java.util.Arrays;
+
 /**
  * <p>
  * OAuth2客户端
@@ -36,4 +38,16 @@ public String getDescription() {
 		return description;
 	}
 
+	/**
+	 * 通过clientId获取枚举信息
+	 * @param clientId clientId
+	 * @return Oauth2ClientEnums
+	 */
+	public static Oauth2ClientEnums getByClientId(String clientId) {
+		return Arrays.stream(Oauth2ClientEnums.values())
+			.filter(oauth2ClientEnums -> oauth2ClientEnums.getClientId().equals(clientId))
+			.findFirst()
+			.orElse(null);
+	}
+
 }

twelvet/twelvet-framework/twelvet-framework-security/src/main/java/com/twelvet/framework/security/support/base/OAuth2ResourceOwnerBaseAuthenticationProvider.java

@@ -124,6 +124,9 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				resouceOwnerBaseAuthenticationScopes);
 
 		RegisteredClient registeredClient = clientPrincipal.getRegisteredClient();
+		if (Objects.isNull(registeredClient)) {
+			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
+		}
 		checkClient(registeredClient);
 
 		Set<String> authorizedScopes;
@@ -171,23 +174,20 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			 * .authenticate(authenticationToken);
 			 */
 
-			AuthorizationGrantType authorizationGrantType = new AuthorizationGrantType(
-					Oauth2GrantEnums.PASSWORD.getGrant());
-
 			// @formatter:off
 			DefaultOAuth2TokenContext.Builder tokenContextBuilder = DefaultOAuth2TokenContext.builder()
 					.registeredClient(registeredClient)
 					.principal(authenticationToken)
 					.authorizationServerContext(AuthorizationServerContextHolder.getContext())
 					.authorizedScopes(authorizedScopes)
-					.authorizationGrantType(authorizationGrantType)
+					.authorizationGrantType(resouceOwnerBaseAuthenticationScopes.getAuthorizationGrantType())
 					.authorizationGrant(resouceOwnerBaseAuthenticationScopes);
 			// @formatter:on
 
 			OAuth2Authorization.Builder authorizationBuilder = OAuth2Authorization
 				.withRegisteredClient(registeredClient)
 				.principalName(authenticationToken.getName())
-				.authorizationGrantType(authorizationGrantType)
+				.authorizationGrantType(resouceOwnerBaseAuthenticationScopes.getAuthorizationGrantType())
 				// 0.4.0 新增的方法
 				.authorizedScopes(authorizedScopes);
 

twelvet/twelvet-framework/twelvet-framework-security/src/main/java/com/twelvet/framework/security/support/grant/oauth2/github/OAuth2ResourceOwnerGiHubAuthenticationProvider.java

@@ -124,7 +124,7 @@ public boolean supports(Class<?> authentication) {
 	public void checkClient(RegisteredClient registeredClient) {
 		assert registeredClient != null;
 		if (!registeredClient.getAuthorizationGrantTypes()
-			.contains(new AuthorizationGrantType(Oauth2GrantEnums.PASSWORD.getGrant()))) {
+			.contains(new AuthorizationGrantType(Oauth2GrantEnums.GITHUB.getGrant()))) {
 			throw new OAuth2AuthenticationException(OAuth2ErrorCodes.UNAUTHORIZED_CLIENT);
 		}
 	}

twelvet/twelvet-framework/twelvet-framework-security/src/main/java/com/twelvet/framework/security/support/service/impl/TWTRedisOAuth2AuthorizationService.java

@@ -1,5 +1,8 @@
 package com.twelvet.framework.security.support.service.impl;
 
+import com.twelvet.framework.redis.service.constants.CacheConstants;
+import com.twelvet.framework.security.constants.Oauth2ClientEnums;
+import com.twelvet.framework.security.utils.SecurityUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.redis.core.RedisTemplate;
 import org.springframework.data.redis.serializer.RedisSerializer;
@@ -16,6 +19,7 @@
 import java.time.temporal.ChronoUnit;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 import java.util.concurrent.TimeUnit;
 
@@ -28,8 +32,6 @@ public class TWTRedisOAuth2AuthorizationService implements OAuth2AuthorizationSe
 
 	private final static Long TIMEOUT = 10L;
 
-	private static final String AUTHORIZATION = "token";
-
 	@Autowired
 	private RedisTemplate<String, Object> redisTemplate;
 
@@ -47,8 +49,8 @@ public void save(OAuth2Authorization authorization) {
 		if (isCode(authorization)) {
 			OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = authorization
 				.getToken(OAuth2AuthorizationCode.class);
-			OAuth2AuthorizationCode authorizationCodeToken = authorizationCode.getToken();
-			long between = ChronoUnit.MINUTES.between(authorizationCodeToken.getIssuedAt(),
+			OAuth2AuthorizationCode authorizationCodeToken = Objects.requireNonNull(authorizationCode).getToken();
+			long between = ChronoUnit.MINUTES.between(Objects.requireNonNull(authorizationCodeToken.getIssuedAt()),
 					authorizationCodeToken.getExpiresAt());
 			redisTemplate.setValueSerializer(RedisSerializer.java());
 			redisTemplate.opsForValue()
@@ -57,18 +59,22 @@ public void save(OAuth2Authorization authorization) {
 		}
 
 		if (isRefreshToken(authorization)) {
-			OAuth2RefreshToken refreshToken = authorization.getRefreshToken().getToken();
-			long between = ChronoUnit.SECONDS.between(refreshToken.getIssuedAt(), refreshToken.getExpiresAt());
+			OAuth2RefreshToken refreshToken = Objects.requireNonNull(authorization.getRefreshToken()).getToken();
+			long between = ChronoUnit.SECONDS.between(Objects.requireNonNull(refreshToken.getIssuedAt()),
+					refreshToken.getExpiresAt());
 			redisTemplate.setValueSerializer(RedisSerializer.java());
 			redisTemplate.opsForValue()
 				.set(buildKey(OAuth2ParameterNames.REFRESH_TOKEN, refreshToken.getTokenValue()), authorization, between,
 						TimeUnit.SECONDS);
 		}
 
-		if (isAccessToken(authorization)) {
+		if (isAccessToken(authorization)) { // 只处理accessToken的id搜索能力
 			OAuth2AccessToken accessToken = authorization.getAccessToken().getToken();
-			long between = ChronoUnit.SECONDS.between(accessToken.getIssuedAt(), accessToken.getExpiresAt());
+			long between = ChronoUnit.SECONDS.between(Objects.requireNonNull(accessToken.getIssuedAt()),
+					accessToken.getExpiresAt());
 			redisTemplate.setValueSerializer(RedisSerializer.java());
+
+			// 储存用户token
 			redisTemplate.opsForValue()
 				.set(buildKey(OAuth2ParameterNames.ACCESS_TOKEN, accessToken.getTokenValue()), authorization, between,
 						TimeUnit.SECONDS);
@@ -88,22 +94,27 @@ public void remove(OAuth2Authorization authorization) {
 		if (isCode(authorization)) {
 			OAuth2Authorization.Token<OAuth2AuthorizationCode> authorizationCode = authorization
 				.getToken(OAuth2AuthorizationCode.class);
-			OAuth2AuthorizationCode authorizationCodeToken = authorizationCode.getToken();
+			OAuth2AuthorizationCode authorizationCodeToken = Objects.requireNonNull(authorizationCode).getToken();
 			keys.add(buildKey(OAuth2ParameterNames.CODE, authorizationCodeToken.getTokenValue()));
 		}
 
 		if (isRefreshToken(authorization)) {
-			OAuth2RefreshToken refreshToken = authorization.getRefreshToken().getToken();
+			OAuth2RefreshToken refreshToken = Objects.requireNonNull(authorization.getRefreshToken()).getToken();
 			keys.add(buildKey(OAuth2ParameterNames.REFRESH_TOKEN, refreshToken.getTokenValue()));
 		}
 
-		if (isAccessToken(authorization)) {
+		if (isAccessToken(authorization)) { // 只处理accessToken的id搜索能力
 			OAuth2AccessToken accessToken = authorization.getAccessToken().getToken();
 			keys.add(buildKey(OAuth2ParameterNames.ACCESS_TOKEN, accessToken.getTokenValue()));
 		}
 		redisTemplate.delete(keys);
 	}
 
+	/**
+	 * 通过ID查询Token
+	 * @param id the authorization identifier
+	 * @return OAuth2Authorization
+	 */
 	@Override
 	@Nullable
 	public OAuth2Authorization findById(String id) {
@@ -120,7 +131,7 @@ public OAuth2Authorization findByToken(String token, @Nullable OAuth2TokenType t
 	}
 
 	private String buildKey(String type, String id) {
-		return String.format("%s::%s::%s", AUTHORIZATION, type, id);
+		return String.format("%s::%s::%s", CacheConstants.AUTHORIZATION, type, id);
 	}
 
 	private static boolean isState(OAuth2Authorization authorization) {