OAuth
;oauth access token and refresh token
oauth_refresh_token:org.springframework.security.oauth2.provider.token.store.JdbcTokenStore
oauth_access_token:org.springframework.security.oauth2.provider.token.store.JdbcTokenStore
oauth_approvals:org.springframework.security.oauth2.provider.approval.JdbcApprovalStore
;
;oauth client authentication and authorization
oauth_client_details:org.springframework.security.oauth2.provider.client.JdbcClientDetailsService
oauth_client_token:org.springframework.security.oauth2.client.token.JdbcClientTokenServices
oauth_code:org.springframework.security.oauth2.provider.code.JdbcAuthorizationCodeServices
SELECT
client_id, -- V256) PKC,
resource_ids, -- V(256),
client_secret, -- V(256) NNC,
scope, -- V(256),
authorized_grant_types, -- V(256),
web_server_redirect_uri, -- V(256),
authorities, -- V(256),
access_token_validity, -- INT,
refresh_token_validity, -- INT,
additional_information, -- V(4000),
autoapprove -- V(256)
FROM
oauth_client_details;
SELECT
token_id, -- V(256),
token, -- B,
authentication -- B
FROM
oauth_refresh_token;
|
SELECT
token_id, -- V(256),
token, -- B,
authentication_id, -- V(256) PKC,
user_name, -- V(256),
client_id -- V(256)
FROM
oauth_client_token;
CREATE TABLE oauth_code (
code, -- V(256),
authentication -- B
FROM
oauth_code;
|
SELECT
token_id, -- V(256),
token, -- B,
authentication_id, -- V(256),
user_name, -- V(256),
client_id, -- V(256),
authentication, -- B,
refresh_token -- V(256)
FROM
oauth_access_token;
SELECT
userid, -- V(256),
clientid, -- V(256),
scope, -- V(256),
status, -- V(10),
expiresat, -- T,
lastmodifiedat -- T
FROM
oauth_approvals;
|
Grant Types
Authorization Code;http://api.chorke.org/auth/oauth/callback/google
;http://api.chorke.org/auth/oauth/authorize
;http://api.chorke.org/auth/oauth/token
grant_type : authorization_code
client_id :
client_secret :
scope : read write
state :
Client Credentials;http://api.chorke.org/auth/oauth/token
grant_type : client_credentials
client_id :
client_secret :
scope : read write
Device Code;http://api.chorke.org/auth/oauth/device
grant_type : device_code
client_id :
code :
|
Password Credentials];http://api.chorke.org/auth/oauth/token
grant_type : password
username :
password :
client_id :
client_secret :
scope : read write
;
Implicit;http://api.chorke.org/auth/oauth/callback/google
;http://api.chorke.org/auth/oauth/authorize
client_id :
scope : read write
state :
|
OAuth2 Server Config
@Configuration
@EnableAuthorizationServer
@Import(ServerSecurityConfig.class)
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AuthServerOAuth2Config extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("dataSource")
private DataSource dataSource;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private PasswordEncoder oauthClientPasswordEncoder;
@Autowired
private AuthenticationManager authenticationManager;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
public ApprovalStore approvalStore() {
return new JdbcApprovalStore(dataSource);
}
@Bean
public ClientTokenServices clientTokenServices() {
return new JdbcClientTokenServices(dataSource);
}
@Bean
public JdbcClientDetailsService clientDetailsService() {
return new JdbcClientDetailsService(dataSource);
}
@Bean
public AuthorizationCodeServices authorizationCodeServices() {
return new JdbcAuthorizationCodeServices(dataSource);
}
@Bean
public OAuth2AccessDeniedHandler oauthAccessDeniedHandler() {
return new OAuth2AccessDeniedHandler();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").passwordEncoder(oauthClientPasswordEncoder);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(clientDetailsService());
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager);
endpoints.approvalStore(approvalStore()).userDetailsService(userDetailsService);
endpoints.authorizationCodeServices(authorizationCodeServices());
}
}