主要有2个坑:
1.通过网关访问/oauth/authorize的时候,无法跳转到redirect_uri返回授权码
2.访问/oauth/token 刷新token的时候,新的token解析后用户信息丢失,用户信息变成了用户名
问题一
通过网关访问/oauth/authorize的时候,会把信息缓存到session中,跳转到登录页登录后,正常来说会从session中取出信息,然后跳转到redirect_uri,但是通过网关访问时,跳到的login登录页是授权服务的,点击登录也是直接访问的授权服务,并没有通过网关,所以需要跳转到login登录页的时候,把ip和端口都替换成网关的,具体代码如下
@TsfGatewayFilter
public class ResponseGlobalFilter extends AbstractTsfGlobalFilter {// @Value("${cors.crossOriginPath}")private String crossOriginPath = "网关地址";@Overridepublic int getOrder() {//WRITE_RESPONSE_FILTER 之前执行return NettyWriteResponseFilter.WRITE_RESPONSE_FILTER_ORDER - 1;}@Overridepublic boolean shouldFilter(ServerWebExchange exchange, GatewayFilterChain chain) {return true;}@Overridepublic Mono<Void> doFilter(ServerWebExchange exchange, GatewayFilterChain chain) {String path = exchange.getRequest().getPath().value();if (path.contains("/oauth/authorize") || path.contains("login")) {//构建响应包装类HttpResponseDecorator responseDecorator = new HttpResponseDecorator(exchange.getRequest(), exchange.getResponse(), crossOriginPath);return chain.filter(exchange.mutate().response(responseDecorator).build());}return chain.filter(exchange);}}
public class HttpResponseDecorator extends ServerHttpResponseDecorator {private String proxyUrl;private ServerHttpRequest request;/*** 构造函数** @param delegate*/public HttpResponseDecorator(ServerHttpRequest request, ServerHttpResponse delegate, String proxyUrl) {super(delegate);this.request = request;this.proxyUrl = proxyUrl;}@Overridepublic Mono<Void> writeWith(Publisher<? extends DataBuffer> body) {HttpStatus status = this.getStatusCode();if (status.equals(HttpStatus.FOUND)) {String domain = "";if (StringUtils.isBlank(proxyUrl)) {domain = request.getURI().getScheme() + "://" + request.getURI().getAuthority() + "/oauth"; //这是授权服务的服务名} else {domain = proxyUrl + "/oauth";}String location = getHeaders().getFirst("Location");
// for (int i = 0; i < 3; i++) {
// location = location.substring(location.indexOf("/") + 1);
// }String replaceLocation = location.replaceAll("^((ht|f)tps?):\\/\\/(\\d{1,3}.){3}\\d{1,3}(:\\d+)?", domain);if (location.contains("code=")) {
// getHeaders().set("Location",location );} else {getHeaders().set("Location", replaceLocation);}}this.getStatusCode();return super.writeWith(body);}
}
我这是用的腾讯的tsf服务,AbstractTsfGlobalFilter 是腾讯包里的,普通微服务需要写gateway的拦截器,或者zuul的拦截器,gateway就是implements GlobalFilter, Ordered,这样每次访问/oauth/authorize的时候会先走这个过滤器,然后把重定向地址,也就是Location,替换成网关的ip+端口+授权服务名称,这样跳到login页面的时候,就会通过网关跳转,而不是授权服务,就可以获取授权码了。
问题二
就是这个原因,所以我们需要重写extractAuthentication方法
/*** 用户认证转化器* /根据 oauth/check_token 的结果转化用户信息** @author zhuowen* @since 2019/06/21*/
@Component
public class ZWUserAuthenticationConverter extends DefaultUserAuthenticationConverter {private static final String USER_ID = "user_id";private static final String DEPT_ID = "dept_id";private static final String ROLE_ID = "role_id";private static final String NAME = "name";private static final String TENANT_ID = "tenant_id";private static final String N_A = "N/A";/*** Extract information about the user to be used in an access token (i.e. for resource servers).** @param authentication an authentication representing a user* @return a map of key values representing the unique information about the user*/@Overridepublic Map<String, ?> convertUserAuthentication(Authentication authentication) {Map<String, Object> response = new LinkedHashMap<>();response.put(USERNAME, authentication.getName());if (authentication.getAuthorities() != null && !authentication.getAuthorities().isEmpty()) {response.put(AUTHORITIES, AuthorityUtils.authorityListToSet(authentication.getAuthorities()));}return response;}/*** Inverse of {@link #convertUserAuthentication(Authentication)}. Extracts an Authentication from a map.** @param map a map of user information* @return an Authentication representing the user or null if there is none*/@Overridepublic Authentication extractAuthentication(Map<String, ?> map) {if (map.containsKey(USERNAME)) {Collection<? extends GrantedAuthority> authorities = getAuthorities(map);String username = (String) map.get(USERNAME);String name = (String) map.get(NAME);Integer userId = (Integer) map.get("userId");ZWUser zwUser = new ZWUser(userId.longValue(),username,name,"N/A",true,true,true,true,authorities);
// String userStr = (String)map.get("userInfo");
// System.out.println("userObj=========="+userStr);
// ObjectMapper objectMapper = new ObjectMapper();
// ZWUser user = objectMapper.convertValue(userObj, ZWUser.class);
// System.out.println("user=========="+user.toString());
// System.out.println(jsonObject.toJSONString());
// SysUser user = JSON.parseObject(jsonObject.toJSONString(), SysUser.class);return new UsernamePasswordAuthenticationToken(zwUser, N_A, authorities);}return null;}private Collection<? extends GrantedAuthority> getAuthorities(Map<String, ?> map) {Object authorities = map.get(AUTHORITIES);if (authorities instanceof String) {return AuthorityUtils.commaSeparatedStringToAuthorityList((String) authorities);}if (authorities instanceof Collection) {return AuthorityUtils.commaSeparatedStringToAuthorityList(StringUtils.collectionToCommaDelimitedString((Collection<?>) authorities));}throw new IllegalArgumentException("Authorities must be either a String or a Collection");}
}
重写完后,我们需要在token增强里配置一下
@Beanpublic JwtAccessTokenConverter accessTokenConverter() {JwtAccessTokenConverter accessTokenConverter = new JwtAccessTokenConverter() {/*** 重写增强token的方法* 自定义返回相应的信息**/@Overridepublic OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {// 与登录时候放进去的UserDetail实现类一直查看link{SecurityConfiguration}ZWUser userInfo = (ZWUser) authentication.getUserAuthentication().getPrincipal();/* 自定义一些token属性 ***/final Map<String, Object> additionalInformation = new HashMap<>(18);String name = userInfo.getName();Long userId = userInfo.getUser_id();additionalInformation.put("name", name);additionalInformation.put("userId", userId);((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInformation);return super.enhance(accessToken, authentication);}};accessTokenConverter.setSigningKey(SIGNING_KEY);((DefaultAccessTokenConverter) accessTokenConverter.getAccessTokenConverter()).setUserTokenConverter(zwUserAuthenticationConverter);return accessTokenConverter;}
最后一行代码accessTokenConverter.getAccessTokenConverter()).setUserTokenConverter(zwUserAuthenticationConverter);把ZWUserAuthenticationConverter 注入到token增强的类里,刷新token后,用户信息就不会丢失了