用户工具

站点工具


light4j:oauth
最核心的是token服务,其次是code服务,refresh-token不太必要,key不需要。
user、client、service,手动维护数据时可以不启动
  • code,给user颁发授权码,code
GET /oauth2/code?response_type=code&client_id={clientId}&redirect_uri=&username=&password=&state=&scope=&code_challenge=&code_challenge_method=
// 测试,会提示输入账户密码:admin/123456
https://localhost:6881/oauth2/code?response_type=code&client_id=f7d42348-c647-4efb-a52d-4c5787421e72&redirect_uri=http://localhost:8080/authorization
http://localhost:8080/authorization?code=-SCI2fzDSmeDlNNWteIeqw

POST /oauth2/code
Content-Type: application/x-www-form-urlencoded
j_username={username}&j_password={password}&response_type=code&client_id={clientId}&redirect_uri=&state=&scope=&code_challenge=&code_challenge_method=

1. 查找cache.clients.{clientId},code=Util.getUUID(),cache.codes.{code}={userId,scope,redirectUri},cache.users.{username}
2. userId=exchange.getSecurityContext().getAuthenticatedAccount().getPrincipal().getName(),取username
响应302跳转redirect_uri?coder=uuid&state=
  • token,给client或user颁发token令牌
POST /oauth2/token
Authorization: Basic clientId:clientSecret //也可以通过表单提交

grant_type=authorization_code|client_credentials|password|refresh_token|client_authenticated_user
&client_id=&client_secret= //grant_type=client_credentials,匹配cache.clients.{clientId}和{clientSecret}
&code=&redirect_uri= //grant_type=authorization_code,匹配cache.codes.{code},redirect_uri需与code请求提供的值一致
&username=&password= //grant_type=password,匹配cache.users.{username}和{password},client_type=trusted,有refresh_token
&refresh_token= //grant_type=refresh_token,匹配cache.tokens.{refresh_token}
&userId=&userType= //grant_type=client_authenticated_user,验证client后直接用userId,userType,scope颁发令牌

响应:{access_token,token_type=bearer,expires_in=10分钟}
  • user,支持user的增删改查
GET /oauth2/user/{userId},获取用户,DELETE方法删除用户
POST /oauth2/user,密码使用HashUtil.generateStorngPasswordHash加密,PUT方法更新用户
{userId,userType=admin|customer|employee|partner,email,password,passwordConfirm,firstName,lastName}
POST /oauth2/password/{userId},{userId,password,newPassword,newPasswordConfirm},更新密码
GET /oauth2/user?page=1&pageSize=10&userId=,前缀查找{userId}%的多个用户,password置空
  • client,支持client、client_service的增删改查
GET /oauth2/client/{clientId},获取client信息,DELETE删除client
POST /oauth2/client,{ownerId,client_type,client_profile},clientId=uuid,cache.users.{ownerId}必须存在,PUT更新,GET查询clientName%
GET /oauth2/client/{clientId}/service/{serviceId},获取service相关的endpoints(client_service),DELETE删除service,POST提交endpoints(先删后增)
GET /oauth2/client/{clientId}/service,获取client相关的所有service->endpoints,DELETE删除client_service
  • service,支持service、service_endpoint的增删改查
GET /oauth2/service/{serviceId},获取service,DELETE删除service及service_endpoints
GET /oauth2/service/{serviceId}/endpoint,获取cache.serviceEndpoints.{serviceId},DELETE删除,POST覆盖
GET /oauth2/service,查询serviceId%,POST新增service(检查ownerId),PUT更新
  • cache,db存储,Hazelcast缓存,users clients services serviceEndpoints,codes tokens
create table user_profile (
  user_id varchar PRIMARY KEY,
  user_type varchar,  -- admin, customer, employee, partner
  first_name varchar,
  last_name varchar,
  email varchar,
  password varchar
);
create table client (
  client_id VARCHAR PRIMARY KEY,
  client_secret VARCHAR,
  client_type VARCHAR,  -- public, confidential, trusted
  client_profile VARCHAR, -- server, mobile, service, batch, browser
  client_name VARCHAR,
  client_desc VARCHAR,
  scope VARCHAR,
  custom_claim VARCHAR,   -- custom claim(s) in json format that will be included in the jwt token
  redirect_uri VARCHAR,
  authenticate_class VARCHAR,
  owner_id VARCHAR
);
create table service (
  service_id VARCHAR PRIMARY KEY,
  service_type VARCHAR,  -- swagger, openapi, graphql, hybrid
  service_name VARCHAR,
  service_desc VARCHAR,
  scope VARCHAR,
  owner_id VARCHAR
);
create table service_endpoint (
  service_id VARCHAR,
  endpoint VARCHAR,  -- different framework will have different endpoint format.
  operation VARCHAR,
  scope VARCHAR,
  PRIMARY KEY (service_id, endpoint),
  FOREIGN KEY (service_id) REFERENCES service(service_id)
);
create table client_service (
  client_id VARCHAR NOT NULL,
  service_id VARCHAR NOT NULL,
  endpoint VARCHAR NOT NULL,  -- different framework will have different endpoint format.
  PRIMARY KEY (client_id, service_id, endpoint),
  FOREIGN KEY (service_id, endpoint) REFERENCES service_endpoint(service_id, endpoint),
  FOREIGN KEY (client_id) REFERENCES client(client_id)
);
  • refresh-token
GET /oauth2/refresh_token/{refreshToken},通过refreshToken获取token
DELETE /oauth2/refresh_token/{refreshToken},删除refreshToken
  • key
GET /oauth2/key/{keyId},查看security.yml里面,jwt.certificate.100:oauth/primary.crt,crt文件内容
  • authorize,MapIdentityManager(cache.users),与code逻辑相同,请求头Authorization: Basic username:password
GET /oauth2/authorize
POST /oauth2/authorize
light4j/oauth.txt · 最后更改: 2021/12/01 00:03 由 admin