2. 技术
    3. Spring Security oAuth2 基于内存存储令牌

    Spring Security oAuth2 基于内存存储令牌

    技术2026-04-19  11

    基于内存存储令牌

    概述

    操作流程

    配置认证服务器 配置客户端信息:ClientDetailsServiceConfigurer inMemory:内存配置withClient:客户端标识secret:客户端安全码authorizedGrantTypes:客户端授权类型scopes:客户端授权范围redirectUris:注册回调地址 配置 Web 安全通过 GET 请求访问认证服务器获取授权码 端点:/oauth/authorize 通过 POST 请求利用授权码访问认证服务器获取令牌 端点:/oauth/token

    默认的端点 URL

    /oauth/authorize:授权端点/oauth/token:令牌端点/oauth/confirm_access:用户确认授权提交端点/oauth/error:授权服务错误信息端点/oauth/check_token:用于资源服务访问的令牌解析端点/oauth/token_key:提供公有密匙的端点,如果你使用 JWT 令牌的话

    服务器安全配置

    创建一个类继承 WebSecurityConfigurerAdapter 并添加相关注解:

    @Configuration@EnableWebSecurity@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true):全局方法拦截 package com.shane.spring.security.oauth2.server.configure; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; @Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true, jsr250Enabled = true) public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Bean public BCryptPasswordEncoder passwordEncoder() { // 配置默认的加密方式 return new BCryptPasswordEncoder(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { // 在内存中创建用户 auth.inMemoryAuthentication() .withUser("user").password(passwordEncoder().encode("123456")).roles("USER") .and() .withUser("admin").password(passwordEncoder().encode("admin888")).roles("ADMIN"); } }

    配置认证服务器

    创建一个类继承 AuthorizationServerConfigurerAdapter 并添加相关注解:

    @Configuration@EnableAuthorizationServer package com.shane.spring.security.oauth2.server.configure; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer; import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter; import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer; @Configuration @EnableAuthorizationServer public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { @Autowired private BCryptPasswordEncoder passwordEncoder; @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { // 配置客户端 clients // 使用内存设置 .inMemory() // client_id .withClient("client") // client_secret .secret(passwordEncoder.encode("secret")) // 授权类型 .authorizedGrantTypes("authorization_code") // 授权范围 .scopes("app") // 注册回调地址 .redirectUris("https://www.baidu.com"); } }

    application.yml

    spring: application: name: oauth2-server server: port: 8080

    访问获取授权码

    通过浏览器访问 http://localhost:8080/oauth/authorize?client_id=client&response_type=code 第一次访问会跳转到登录页面

    验证成功后会询问用户是否授权客户端

    选择授权后会跳转到百度,浏览器地址上还会包含一个授权码(code=1JuO6V),浏览器地址栏会显示如下地址: https://www.baidu.com/?code=1JuO6V

    向服务器申请令牌

    通过 CURL 或是 Postman 请求 curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=authorization_code&code=1JuO6V' "http://client:secret@localhost:8080/oauth/token"

    得到响应结果如下 { "access_token": "016d8d4a-dd6e-4493-b590-5f072923c413", "token_type": "bearer", "expires_in": 43199, "scope": "app" }
    Processed: 0.011, SQL: 9