Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/auth/login登录接口与/oauth2/authorize认证接口没有明显的关联关系 #3

Open
fankuneee opened this issue Mar 30, 2023 · 1 comment
Open

/auth/login登录接口与/oauth2/authorize认证接口没有明显的关联关系 #3

fankuneee opened this issue Mar 30, 2023 · 1 comment

Comments

@fankuneee
Copy link

/auth/login登录接口与/oauth2/authorize认证接口没有明显的关联关系

是否不登陆也可以直接访问/oauth2/authorize,然后获取code,再获取token
@qjyn1314
Copy link
Owner

这个问题的关键在于, oauth2.1(OAuth2AuthorizationServer)是如何获取当前登录用户信息的?

SpringSecurity 通过session会话, 将当前登录用户的信息设置到 SecurityContext中.

流程: 在登录成功之后, 进行的是用户 手动授权或者自动授权 自己的信息给到第三方.

本项目使用的是 自动授权. 也可以在登录成功的授权页面中添加按钮等操作, 用户同意之后, 再次拿着临时code进行获取accesstoken.

/oauth2/authorize 对应的 OAuth2AuthorizationEndpointFilter 过滤器.

1.需要将 路径中的参数进行转换,并获取当前登录用户的信息形成 OAuth2AuthorizationConsentAuthenticationToken, 此动作在 OAuth2AuthorizationConsentAuthenticationConverter中实现, 源码中 通过 SecurityContextHolder.getContext().getAuthentication();获取当前登录用户信息.

也就意味着OAuth2AuthorizationServer是通过 当前session会话 获取当前登录用户信息的.

2.AuthenticationManager 进行验证.

在本项目中的关键配置:

image

@qjyn1314 qjyn1314 pinned this issue Mar 31, 2023
@qjyn1314 qjyn1314 unpinned this issue Mar 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qjyn1314 @fankuneee