SpringSecurity：通过OAuth2集成Github

1. 背景

近期由于新建的项目，因为涉及到前后端分离以及单点登录，综合考虑，决定采用 SpringSecurity + Oauth2.0 ,我也正好趁此机会学习下此类知识，回想起最近一次学习安全框架还是 Shiro。 SSO 基础就不说了，敢兴趣的可以自行百度或者谷歌。

因为 SpringSecurity 本身提供了 GOOGLE GITHUB FACEBOOK OKTA 的 OAuth2.0 接入支持，具体源码都在枚举类CommonOAuth2Provider 中。

public enum CommonOAuth2Provider {
    GOOGLE {
        public ClientRegistration.Builder getBuilder(String registrationId) {
            ClientRegistration.Builder builder = this.getBuilder(registrationId, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, "{baseUrl}/{action}/oauth2/code/{registrationId}");
            builder.scope(new String[]{"openid", "profile", "email"});
            builder.authorizationUri("https://accounts.google.com/o/oauth2/v2/auth");
            builder.tokenUri("https://www.googleapis.com/oauth2/v4/token");
            builder.jwkSetUri("https://www.googleapis.com/oauth2/v3/certs");
            builder.issuerUri("https://accounts.google.com");
            builder.userInfoUri("https://www.googleapis.com/oauth2/v3/userinfo");
            builder.userNameAttributeName("sub");
            builder.clientName("Google");
            return builder;
        }
    },
    GITHUB {
        public ClientRegistration.Builder getBuilder(String registrationId) {
            ClientRegistration.Builder builder = this.getBuilder(registrationId, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, "{baseUrl}/{action}/oauth2/code/{registrationId}");
            builder.scope(new String[]{"read:user"});
            builder.authorizationUri("https://github.com/login/oauth/authorize");
            builder.tokenUri("https://github.com/login/oauth/access_token");
            builder.userInfoUri("https://api.github.com/user");
            builder.userNameAttributeName("id");
            builder.clientName("GitHub");
            return builder;
        }
    },
    FACEBOOK {
        public ClientRegistration.Builder getBuilder(String registrationId) {
            ClientRegistration.Builder builder = this.getBuilder(registrationId, ClientAuthenticationMethod.CLIENT_SECRET_POST, "{baseUrl}/{action}/oauth2/code/{registrationId}");
            builder.scope(new String[]{"public_profile", "email"});
            builder.authorizationUri("https://www.facebook.com/v2.8/dialog/oauth");
            builder.tokenUri("https://graph.facebook.com/v2.8/oauth/access_token");
            builder.userInfoUri("https://graph.facebook.com/me?fields=id,name,email");
            builder.userNameAttributeName("id");
            builder.clientName("Facebook");
            return builder;
        }
    },
    OKTA {
        public ClientRegistration.Builder getBuilder(String registrationId) {
            ClientRegistration.Builder builder = this.getBuilder(registrationId, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, "{baseUrl}/{action}/oauth2/code/{registrationId}");
            builder.scope(new String[]{"openid", "profile", "email"});
            builder.userNameAttributeName("sub");
            builder.clientName("Okta");
            return builder;
        }
    };

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

这里仅对 Github 单点登录作为样例，作此说明，都是在 Windows 中的开发环境。

2. Client注册登记

• 注册：在 Github 中注册一个 Client 应用，界面生成 client-id 和 client-secret 。

注册地址：https://github.com/settings/applications/new

• Homepage URL：首页 https://localhost:9006
• Authorization callback URL：授权回调地址 https://localhost:9006/login/oauth2/code/github

注册，比较简单，自行。

3. SSL证书

演示环境下必须是 HTTPS 类型，否则会不成功。详细配置参考[[Java生成SSL证书]]

如果不安装证书，会有如下情况。

4. IDEA配置

4.1. pom

<dependencies>
    <dependency>
        <groupId>org.springframework.bootgroupId>
        <artifactId>spring-boot-starter-securityartifactId>
    dependency>
    <dependency>
        <groupId>org.springframework.bootgroupId>
        <artifactId>spring-boot-starter-webartifactId>
    dependency>

    <dependency>
        <groupId>org.springframework.bootgroupId>
        <artifactId>spring-boot-starter-testartifactId>
        <scope>testscope>
    dependency>
    <dependency>
        <groupId>org.springframework.securitygroupId>
        <artifactId>spring-security-testartifactId>
        <scope>testscope>
    dependency>
    <dependency>
        <groupId>org.springframework.bootgroupId>
        <artifactId>spring-boot-starter-oauth2-clientartifactId>
    dependency>
dependencies>

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

4.2. yml

server:
  ssl:
    key-store: https.keystore
    key-store-password: 123456
    key-alias: tomcat
  port: 9006
spring:
  security:
    oauth2:
      client:
        registration:
          github:
            #对应Github账号配置的Client ID
            client-id: 08bc4fb36fxx580a57c1
            #对应Github账号配置的Client secrets
            client-secret: df677b978decxefab1c95d4e28288b86913c323

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

5. 验证Github信息

输入 Github 的账号、密码，会进入我们之前配置的 Home 页

5.1. Home主页

5.2. 查看注册信息

5.3. 查看Token

5.4. 查看用户信息