Spring Security 搭建及使用 OAuth2 服务

1. 背景知识

(1). 名词解释

  • Resource Server

    • Store user’s data and http services which can return user data to authenticated clients.
    • 负责决定是否允许返回用户所请求的资源
  • Authorization Server

    • Responsible for authenticating user’s identity and gives an authorization token. This token is accepted by resource server and validate your identity.
    • 返回 Token,验证 Token
  • Access Token

    • A string representing an authorization issued to the client. Tokens represent specific scopes and duration of access, granted by the resource owner, and enforced by the resource server and authorization server.
    • 用户通过 Access Token 申请获取资源
  • Refresh Token

    • Is issued (along with access token) to the client by the authorization server and is used to obtain a new access token when the current access token becomes invalid or expires, or to obtain additional access tokens with identical or narrower scope (access tokens may have a shorter lifetime and fewer permissions than authorized by the resource owner).
    • Issuing a refresh token is optional at the discretion of the authorization server.
    • When an access token expires, developers can use an optional refresh token to request a new access token without having to ask the user to enter their credentials again.
    • Access Token 过期后,用户通过 Refresh Token 申请一个新的 Access Token

(2). 工作流程

  • 用户通过 user/password 登陆到 Authentication Server

  • Authentication Server 验证用户名、密码。如果正确,返回 Access TokenRefresh Token

  • 用户通过 Access TokenResource Server 请求获取资源

  • Resource ServerAuthentication Server 交流,验证 Access Token (Internally)

  • Authentication Server 回应 Accss Token 是否正确 (Internally)

  • 如果 Access Token 正确,Resource Server 返回所请求的资源

  • 如果 Access Token 错误,Resource Server 不允许访问所请求的资源

未完待续……

参考资料

最近更新: 7/28/2019, 9:28:43 PM