package cc.mrbird.febs.common.security.starter.configure; import com.alibaba.fastjson.JSONObject; import com.alibaba.fastjson.TypeReference; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.boot.autoconfigure.security.oauth2.resource.*; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.oauth2.client.OAuth2RestOperations; import org.springframework.security.oauth2.client.OAuth2RestTemplate; import org.springframework.security.oauth2.client.resource.BaseOAuth2ProtectedResourceDetails; import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken; import org.springframework.security.oauth2.common.OAuth2AccessToken; import org.springframework.security.oauth2.common.exceptions.InvalidTokenException; import org.springframework.security.oauth2.provider.OAuth2Authentication; import org.springframework.security.oauth2.provider.OAuth2Request; import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices; import org.springframework.util.Assert; import java.io.Serializable; import java.util.Collections; import java.util.List; import java.util.Map; import java.util.Set; /** * 重写UserInfoTokenServices * {@link UserInfoTokenServices#loadAuthentication(String)} * * @author MrBird */ public class FebsUserInfoTokenServices implements ResourceServerTokenServices { protected final Log logger = LogFactory.getLog(this.getClass()); private final String userInfoEndpointUrl; private final String clientId; private OAuth2RestOperations restTemplate; private String tokenType = "Bearer"; private AuthoritiesExtractor authoritiesExtractor = new FixedAuthoritiesExtractor(); private PrincipalExtractor principalExtractor = new FixedPrincipalExtractor(); public FebsUserInfoTokenServices(String userInfoEndpointUrl, String clientId) { this.userInfoEndpointUrl = userInfoEndpointUrl; this.clientId = clientId; } public void setTokenType(String tokenType) { this.tokenType = tokenType; } public void setRestTemplate(OAuth2RestOperations restTemplate) { this.restTemplate = restTemplate; } public void setAuthoritiesExtractor(AuthoritiesExtractor authoritiesExtractor) { Assert.notNull(authoritiesExtractor, "AuthoritiesExtractor must not be null"); this.authoritiesExtractor = authoritiesExtractor; } public void setPrincipalExtractor(PrincipalExtractor principalExtractor) { Assert.notNull(principalExtractor, "PrincipalExtractor must not be null"); this.principalExtractor = principalExtractor; } @Override public OAuth2Authentication loadAuthentication(String accessToken) throws AuthenticationException, InvalidTokenException { Map map = this.getMap(this.userInfoEndpointUrl, accessToken); String error = "error"; if (map.containsKey(error)) { if (this.logger.isDebugEnabled()) { this.logger.debug("userinfo returned error: " + map.get(error)); } throw new InvalidTokenException(accessToken); } else { return this.extractAuthentication(map); } } private OAuth2Authentication extractAuthentication(Map map) { Object principal = this.getPrincipal(map); List authorities = this.authoritiesExtractor.extractAuthorities(map); String oauth2RequestString = JSONObject.toJSONString(map.get("oauth2Request")); JSONObject oauth2Request = JSONObject.parseObject(oauth2RequestString); TypeReference> setTypeReference = new TypeReference>() { }; Map requestParameters = JSONObject.parseObject(oauth2Request.getString("requestParameters"), new TypeReference>() { }); boolean approved = oauth2Request.getBooleanValue("approved"); Set scope = JSONObject.parseObject(oauth2Request.getString("scope"), setTypeReference); Set resourceIds = JSONObject.parseObject(oauth2Request.getString("resourceIds"), setTypeReference); String redirectUri = oauth2Request.getString("redirectUri"); Set responseTypes = JSONObject.parseObject(oauth2Request.getString("responseTypes"), setTypeReference); Map extensions = JSONObject.parseObject(oauth2Request.getString("extensions"), new TypeReference>() { }); OAuth2Request request = new OAuth2Request(requestParameters, this.clientId, authorities, approved, scope, resourceIds, redirectUri, responseTypes, extensions); UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(principal, "N/A", authorities); token.setDetails(map); return new OAuth2Authentication(request, token); } protected Object getPrincipal(Map map) { Object principal = this.principalExtractor.extractPrincipal(map); return principal == null ? "unknown" : principal; } @Override public OAuth2AccessToken readAccessToken(String accessToken) { throw new UnsupportedOperationException("Not supported: read access token"); } @SuppressWarnings("all") private Map getMap(String path, String accessToken) { if (this.logger.isDebugEnabled()) { this.logger.debug("Getting user info from: " + path); } try { OAuth2RestOperations restTemplate = this.restTemplate; if (restTemplate == null) { BaseOAuth2ProtectedResourceDetails resource = new BaseOAuth2ProtectedResourceDetails(); resource.setClientId(this.clientId); restTemplate = new OAuth2RestTemplate(resource); } OAuth2AccessToken existingToken = restTemplate.getOAuth2ClientContext().getAccessToken(); if (existingToken == null || !accessToken.equals(existingToken.getValue())) { DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(accessToken); token.setTokenType(this.tokenType); restTemplate.getOAuth2ClientContext().setAccessToken(token); } return (Map) restTemplate.getForEntity(path, Map.class, new Object[0]).getBody(); } catch (Exception e) { this.logger.warn("Could not fetch user details: " + e.getClass() + ", " + e.getMessage()); return Collections.singletonMap("error", "Could not fetch user details"); } } }