微服务架构解决方案Spring Cloud Gateway + Oauth2统一认证和鉴权

目录

鉴权架构图

一、服务列表和技术版本列表

1.服务列表

2.技术版本列表

二、核心接口和概念简介

1.Oauth2对外暴露的重要端口(RESTAPI接口)

1)申请token接口/oauth/token

2)校验token接口/oauth/check_token

3)授权接口/oauth/authorize

2.Oauth2定义的角色

三、环境搭建

1.启动Nacos注册中心

2.创建Oauth2Server工程并注册到Nacos

数据库设计

oauth_client_details

oauth_access_token

oauth_refresh_token

sys_user

1)

2)

3)配置授权服务器

4)配置资源服务器

5)配置HttpSecurity

6)集成mybatis基于数据库认证

3.整合网关gateway

1)创建一个网关服务实现请求转发到auth-server

2)

3)配置路由

4)测试网关转发请求

四、将普通微服务配置为资源服务器由网关统一转发认证

1.创建user-service

2.配置资源服务器

3.配置oauth2client统一转发请求

五、统一鉴权的四种模式验证

1.授权码模式(authorization_code)

2.简化模式(implicit)

3.密码模式(password)

4.客户端模式(client_credentials)

服务名称

说明

nacos-server

服务注册中心，提供服务发现与注册功能。

springcloud-gateway

提供网关服务，网关尽量不做鉴权相关的操作，主要将请求路由到各微服务，实现统一转发请求到授权服务器

oauth2-project

提供授权服务，通过客户端认证模式，将所有从网关转发过来的请求进行认证和授权。

user-service

用户服务，普通微服务，同时也是资源服务器，需要配置授权转发。

名称

组

版本

说明

Javaversion

11

为了支持springboot最新版本，使用java11

spring-boot-starter-parent

2.6.3

Springboot版本

spring-cloud-depencies

2021.0.1

SpringCloud版本

spring-cloud-alibaba-depencies

2021.0.1.0

SpringCloudAlibaba版本

spring-cloud-starter-gateway

3.1.1

Gateway版本

spring-cloud-starter-alibaba-nacos-discovery

2021.0.1.0

Nacos服务发现版本

spring-cloud-loadbalancer

3.1.1

新版本gateway默认不支持lb转发，因此需要添加此依赖支持与nacos转发的负载均衡

spring-cloud-starter-oauth2

2.2.4.RELEASE

oauth2安全框架

nacos-server

2.0.4

naocs注册中心

mysql-connector-java

mysql

5.1.46

提供mysql驱动和数据源

mybatis-spring-boot-starter

2.1.4

提供mybatis支持

mybatis-plus-boot-starter

3.2.0

提供mybatis-plus支持

spring-boot-starter-data-redis

2.6.3

提供redis支持

oauth2是一个能由开发者定制的安全框架，我们可以借助oauth2来完成系统应用的授权和认证，从而达到保护应用安全的目的。

oauth2框架中自了几个重要的API，我们用它前一定要熟悉以下的接口。

/oauth/token接口在里的Tokenpoint类里，该接口会以post请求方式对外提供以表单形式的认证方式，通过了就会返回带期限的token。

通过表单的形式提交,通过后会返回一个带期限的access_token，如何用客户端模式去申请token:

/oauth/check_token接口在包里的CheckTokenpoint类里，请求方式get和post都可以，可以看到需要一个token参数

校验成功后会返回客户端信息:

/oauth/authorize接口在包里的Authorizationpoint，该接口可用于授权模式的授权操作，也可用于简化模式的直接申请token。

授权服务器:给具有权限的资源拥有者对应的访问请求授权。

资源服务器:受保护的资源，可以为静态资源、接口等。

资源拥有者:具有该系统资源的拥有者，最终受益于用户。

客户端:与用户和资源、授权服务器沟通的平台，如一个web应用客户端，QQ、微信以第三方形式登录的客户端。

理解了Oauth2的概念后，我们把注册中心、授权服务器、网关搭起来。

可以参考以下文章启动nacos-server

Nacos源码系列(一)源码编译_Dream_it_possible！的博客-CSDN博客_nacos源码编译

oauth2认证client-id,client-secret,grant_type等信息需要的数据库表。

/*NavicatPremiumDataTransferSourceServer:win-localSourceServerType:MySQLSourceServerVersion:50737SourceHost:localhost:3306SourceSchema:oauth2TargetServerType:MySQLTargetServerVersion:50737FileEncoding:65001*/SETNAMESutf8mb4;SETFOREIGN_KEY_CHECKS=0;--------------------------------Tablestructureforoauth_client_details------------------------------DROPTABLEIFEXISTS`oauth_client_details`;CREATETABLE`oauth_client_details`(`client_id`varchar(128)CHARACTERSETutf8COLLATEutf8_general_ciNOTNULLCOMMENT'客户端ID',`resource_ids`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'资源ID集合，多个资源时用英文逗号分隔',`client_secret`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'客户端密匙',`scope`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'客户端申请的权限范围',`authorized_grant_types`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'客户端支持的grant_type',`web_server_redirect_uri`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'重定向URI',`authorities`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'客户端所拥有的SpringSecurity的权限值，多个用英文逗号分隔',`access_token_validity`int(11)NULLDEFAULTNULLCOMMENT'访问令牌有效时间值(单位秒)',`refresh_token_validity`int(11)NULLDEFAULTNULLCOMMENT'更新令牌有效时间值(单位秒)',`additional_information`varchar(4096)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'预留字段',`autoapprove`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'用户是否自动Approval操作',PRIMARYKEY(`client_id`)USINGBTREE)ENGINE=InnoDBCHARACTERSET=utf8COLLATE=utf8_general_ciCOMMENT='客户端信息'ROW_FORMAT=Dynamic;--------------------------------Recordsofoauth_client_details------------------------------INSERTINTO`oauth_client_details`VALUES('client-app',NULL,'$2a$10$','all','password,refresh_token,client_credentials,authorization_code,implicit','',NULL,3600,604800,NULL,'1');SETFOREIGN_KEY_CHECKS=1;

该表是存放客户端token信息的表，生成token时落库，验证时从该表里取出验证。

/*NavicatPremiumDataTransferSourceServer:win-localSourceServerType:MySQLSourceServerVersion:50737SourceHost:localhost:3306SourceSchema:oauth2TargetServerType:MySQLTargetServerVersion:50737FileEncoding:65001*/SETNAMESutf8mb4;SETFOREIGN_KEY_CHECKS=0;--------------------------------Tablestructureforoauth_access_token------------------------------DROPTABLEIFEXISTS`oauth_access_token`;CREATETABLE`oauth_access_token`(`token_id`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'MD5加密的access_token的值',`token`blobNULLCOMMENT'对象序列化后的二进制数据',`authentication_id`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNOTNULLCOMMENT'MD5加密过的username,client_id,scope',`user_name`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'登录的用户名',`client_id`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'客户端ID',`authentication`blobNULLCOMMENT'对象序列化后的二进制数据',`refresh_token`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'MD5加密后的refresh_token的值',PRIMARYKEY(`authentication_id`)USINGBTREE)ENGINE=InnoDBCHARACTERSET=utf8COLLATE=utf8_general_ciCOMMENT='访问令牌'ROW_FORMAT=Dynamic;--------------------------------Recordsofoauth_access_token------------------------------INSERTINTO`oauth_access_token`VALUES('cfd26bb25194ad1ae6fe1a2b759c7ba6',0xACED0005737200436F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E636F6D6D6F6E2E44656661756C744F46363657373546F6B656E0CB29E361B24FACE0200064C004696F6E616C496E666F726D6174696F6E74000F4C6A6176612F7574696C2F4D61703B4C000A65787069726174696F6E7400104C6A6176612F7574696C2F446174653B4C000C72656672657368546F6B656E74003F4C6F72672F737072696E676672616D65776F726B2F73656375726974792F6F61757468322F636F6D6D6F6E2F4F4656672657368546F6B656E3B4C000573636F706574000F4C6A6176612F7574696C2F5365743B4C0009746F6B656E547970657400124C6A6176612F6C616E672F537472696E673B4C000576616C756571007E000578707372001E6A6176612E7574696C2E436F6C6C656374696F6E7324456D7074794D65ADCE7D002000078707372000E6A6176612E7574696C2E44617465686A81014B59741903000078707709CB3BD3787372004C6F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E636F6D6D6F6E2E44656661756C744578706972696E674F4656672657368546F6B656E2FDF47639DD0C9B70200014C000A65787069726174696F6E71007E0002787200446F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E636F6D6D6F6E2E44656661756C744F4656672657368546F6B656E73E10E0A6354D45E0200014C000576616C756571007E000578707465383931652D343737362D346138362D623966372D63306436430347371007E0009770DA0D256A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C65536574801D92D18F9B80550200007872002C6A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C65436F6C6C656374696F6E19420080CB5EF71E0200014C0001637400164C6A6176612F7574696C2F436F6C6C656374696F6E3B7870737200176A6176612E7574696C2E4C696E6B6564486D86CD75A95DD2A1E020000787200116A6176612E7574696C2E486BA44859596B8B7340300007870770C000000103F0001740003616C6C7872430393934333030612D633966632D346233382D393732392D3837616632662,'702834532a7bab38cab035bd2e8c3fee',NULL,'client-app',0xACED0005737200416F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E70726F76696465722E4F4757468656E7469636174696F6EBD400B02166252130200024C000D73746F72656452657003C4C6F72672F737072696E676672616D65776F726B2F73656375726974792F6F61757468322F70726F76696465722F4F46571756573743B4C00127573657241757468656E7469636174696F6E7400324C6F72672F737072696E676672616D65776F726B2F73656375726974792F636F72652F41757468656E7469636174696F6E3B787200476F72672E737072696E676672616D65776F726B2E73656375726974792E61757468656E7469636174696F6E2E416273747261637441757468656E7469636174696F6E546F6B656ED3AA287E6E47640E0200035A000D61757468656E746963617465644C000B617574686F7269746965737400164C6A6176612F7574696C2F436F6C6C656374696F6E3B4C000764657461696C737400124C6A6176612F6C616E672F4F626A6563743B787000737200266A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C654C697374FC0F2531B5EC8E100200014C00046C6973747400104C6A6176612F7574696C2F4C6973743B7872002C6A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C65436F6C6C656374696F6E19420080CB5EF71E0200014C00016371007E00047870737200136A6176612E7574696C2E41727261794C6973747881D21D99C7619D030007A65787000000000770871007E000C707372003A6F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E70726F76696465722E4F4657000000000000010200075A0008617070726F7665644C000B617574686F72697469657371007E00044C000A657874656E73696F6E7374000F4C6A6176612F7574696C2F4D61703B4C000B72656469726563745572697400124C6A6176612F6C616E672F537472696E673B4C00077265667265736874003B4C6F72672F737072696E676672616D65776F726B2F73656375726974792F6F61757468322F70726F76696465722F546F6B656E526571756573743B4C000B7265736F7572636549647374000F4C6A6176612F7574696C2F5365743B4C000D726573706F6E7365547970657371007E0011787200386F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E70726F76696465722E4267565737436287A3EA37169BD0200034C0008636C69656E74496471007E000F4C0017374506172616D657465727371007E000E4C000573636F706571007E0011787074000A636C69656E742D6256A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C654D6170F1A5A8FE74F507420200014C00016D71007E000E7870737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F0003770000000274000A6772616E745F74797065740012636C69656E745F63726564656E7469616C73740009636C69656E745F696474000A636C69656E742D600256A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C65536574801D92D18F9B80550200007871007E0009737200176A6176612E7574696C2E4C696E6B6564486D86CD75A95DD2A1E020000787200116A6176612E7574696C2E486BA44859596B8B7340300007870770C000000103F0001740003616C6C78017371007E0020770C000000103F0000787371007E00173F000077000000007870707371007E0020770C000000103F0000787371007E0020770C000000103F00007870,'1bcc81c9038d7305e2ca339a9a3732db');SETFOREIGN_KEY_CHECKS=1;

刷新token的记录表,token_id字段与oauth_access_token的refresh_token字段关联。

/*NavicatPremiumDataTransferSourceServer:win-localSourceServerType:MySQLSourceServerVersion:50737SourceHost:localhost:3306SourceSchema:oauth2TargetServerType:MySQLTargetServerVersion:50737FileEncoding:65001*/SETNAMESutf8mb4;SETFOREIGN_KEY_CHECKS=0;--------------------------------Tablestructureforoauth_refresh_token------------------------------DROPTABLEIFEXISTS`oauth_refresh_token`;CREATETABLE`oauth_refresh_token`(`token_id`varchar(256)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULLCOMMENT'MD5加密过的refresh_token的值',`token`blobNULLCOMMENT'对象序列化后的二进制数据',`authentication`blobNULLCOMMENT'对象序列化后的二进制数据')ENGINE=InnoDBCHARACTERSET=utf8COLLATE=utf8_general_ciCOMMENT='更新令牌'ROW_FORMAT=Dynamic;--------------------------------Recordsofoauth_refresh_token------------------------------INSERTINTO`oauth_refresh_token`VALUES('1bcc81c9038d7305e2ca339a9a3732db',0xACED00057372004C6F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E636F6D6D6F6E2E44656661756C744578706972696E674F4656672657368546F6B656E2FDF47639DD0C9B70200014C000A65787069726174696F6E7400104C6A6176612F7574696C2F446174653B787200446F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E636F6D6D6F6E2E44656661756C744F4656672657368546F6B656E73E10E0A6354D45E0200014C000576616C75657400124C6A6176612F6C616E672F537472696E673B78707465383931652D343737362D346138362D623966372D63306436430347372000E6A6176612E7574696C2E44617465686A81014B5974190300007870770DA0D15278,0xACED0005737200416F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E70726F76696465722E4F4757468656E7469636174696F6EBD400B02166252130200024C000D73746F72656452657003C4C6F72672F737072696E676672616D65776F726B2F73656375726974792F6F61757468322F70726F76696465722F4F46571756573743B4C00127573657241757468656E7469636174696F6E7400324C6F72672F737072696E676672616D65776F726B2F73656375726974792F636F72652F41757468656E7469636174696F6E3B787200476F72672E737072696E676672616D65776F726B2E73656375726974792E61757468656E7469636174696F6E2E416273747261637441757468656E7469636174696F6E546F6B656ED3AA287E6E47640E0200035A000D61757468656E746963617465644C000B617574686F7269746965737400164C6A6176612F7574696C2F436F6C6C656374696F6E3B4C000764657461696C737400124C6A6176612F6C616E672F4F626A6563743B787000737200266A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C654C697374FC0F2531B5EC8E100200014C00046C6973747400104C6A6176612F7574696C2F4C6973743B7872002C6A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C65436F6C6C656374696F6E19420080CB5EF71E0200014C00016371007E00047870737200136A6176612E7574696C2E41727261794C6973747881D21D99C7619D030007A65787000000000770871007E000C707372003A6F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E70726F76696465722E4F4657000000000000010200075A0008617070726F7665644C000B617574686F72697469657371007E00044C000A657874656E73696F6E7374000F4C6A6176612F7574696C2F4D61703B4C000B72656469726563745572697400124C6A6176612F6C616E672F537472696E673B4C00077265667265736874003B4C6F72672F737072696E676672616D65776F726B2F73656375726974792F6F61757468322F70726F76696465722F546F6B656E526571756573743B4C000B7265736F7572636549647374000F4C6A6176612F7574696C2F5365743B4C000D726573706F6E7365547970657371007E0011787200386F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E70726F76696465722E4267565737436287A3EA37169BD0200034C0008636C69656E74496471007E000F4C0017374506172616D657465727371007E000E4C000573636F706571007E0011787074000A636C69656E742D6256A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C654D6170F1A5A8FE74F507420200014C00016D71007E000E7870737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F0003770000000274000A6772616E745F74797065740012636C69656E745F63726564656E7469616C73740009636C69656E745F696474000A636C69656E742D600256A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C65536574801D92D18F9B80550200007871007E0009737200176A6176612E7574696C2E4C696E6B6564486D86CD75A95DD2A1E020000787200116A6176612E7574696C2E486BA44859596B8B7340300007870770C000000103F0001740003616C6C78017371007E0020770C000000103F0000787371007E00173F000077000000007870707371007E0020770C000000103F0000787371007E0020770C000000103F00007870);INSERTINTO`oauth_refresh_token`VALUES('4c64de4ee4fe5845c6b793c58f39292b',0xACED00057372004C6F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E636F6D6D6F6E2E44656661756C744578706972696E674F4656672657368546F6B656E2FDF47639DD0C9B70200014C000A65787069726174696F6E7400104C6A6176612F7574696C2F446174653B787200446F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E636F6D6D6F6E2E44656661756C744F4656672657368546F6B656E73E10E0A6354D45E0200014C000576616C75657400124C6A6176612F6C616E672F537472696E673B78707337666233332D366462642D343563332D623138372D3265303164623539323065307372000E6A6176612E7574696C2E44617465686A81014B5974190300007870770DC0526778,0xACED0005737200416F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E70726F76696465722E4F4757468656E7469636174696F6EBD400B02166252130200024C000D73746F72656452657003C4C6F72672F737072696E676672616D65776F726B2F73656375726974792F6F61757468322F70726F76696465722F4F46571756573743B4C00127573657241757468656E7469636174696F6E7400324C6F72672F737072696E676672616D65776F726B2F73656375726974792F636F72652F41757468656E7469636174696F6E3B787200476F72672E737072696E676672616D65776F726B2E73656375726974792E61757468656E7469636174696F6E2E416273747261637441757468656E7469636174696F6E546F6B656ED3AA287E6E47640E0200035A000D61757468656E746963617465644C000B617574686F7269746965737400164C6A6176612F7574696C2F436F6C6C656374696F6E3B4C000764657461696C737400124C6A6176612F6C616E672F4F626A6563743B787000737200266A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C654C697374FC0F2531B5EC8E100200014C00046C6973747400104C6A6176612F7574696C2F4C6973743B7872002C6A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C65436F6C6C656374696F6E19420080CB5EF71E0200014C00016371007E00047870737200136A6176612E7574696C2E41727261794C6973747881D21D99C7619D030007A65787000000000770871007E000C707372003A6F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E70726F76696465722E4F4657000000000000010200075A0008617070726F7665644C000B617574686F72697469657371007E00044C000A657874656E73696F6E7374000F4C6A6176612F7574696C2F4D61703B4C000B72656469726563745572697400124C6A6176612F6C616E672F537472696E673B4C00077265667265736874003B4C6F72672F737072696E676672616D65776F726B2F73656375726974792F6F61757468322F70726F76696465722F546F6B656E526571756573743B4C000B7265736F7572636549647374000F4C6A6176612F7574696C2F5365743B4C000D726573706F6E7365547970657371007E0011787200386F72672E737072696E676672616D65776F726B2E73656375726974792E6F61757468322E70726F76696465722E4267565737436287A3EA37169BD0200034C0008636C69656E74496471007E000F4C0017374506172616D657465727371007E000E4C000573636F706571007E0011787074000A636C69656E742D6256A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C654D6170F1A5A8FE74F507420200014C00016D71007E000E7870737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F0006770000000374000A6772616E745F747970657373776F7264740009636C69656E745F696474000A636C69656E742D6757365726E616D657E6778737200256A6176612E7574696C2E436F6C6C656374696F6E7324556E6D6F6469666961626C65536574801D92D18F9B80550200007871007E0009737200176A6176612E7574696C2E4C696E6B6564486D86CD75A95DD2A1E020000787200116A6176612E7574696C2E486BA44859596B8B7340300007870770C000000103F0001740003616C6C78017371007E0022770C000000103F0000787371007E00173F000077000000007870707371007E0022770C000000103F0000787371007E0022770C000000103F0000787372004F6F72672E737072696E676672616D65776F726B2E73656375726974792E61757468656E7469636174696F6E2E557365726E616D6550617373776F726441757468656E7469636174696F6E546F6B656E00000000000002300200024C000B63726564656E7469616C7371007E00054C00097072696E636970616C71007E00057871007E0003017371007E00077371007E000B00000000770871007E002C737200176A6176612E7574696C2E4C696E6B6564486173684D617034C04E5C106CC0FB0200015A000B6163636573734F726465727871007E00173F0006770000000474000D636C69656E745F7365637265747466686F6C7531326A6F736164662371007E001971007E001A71007E001B71007E001C71007E001D71007E001E70326F72672E737072696E676672616D65776F726B2E73656375726974792E636F72652E7573657264657461696C732E5573657200000000000002300200075A00116163636F756E744E6F6E457870697265645A00106163636F756E744E6F6E4C6F636B65645A0056E7469616C734E6F6E457870697265645A0007656E61626C65644C000B617574686F72697469657371007E00114C000870617373776F726471007E000F4C0008757365726E616D6571007E000F7870010101017371007E001F737200116A6176612E7574696C2E54726565536574DD98509395ED875B0300007870737200466F72672E737072696E676672616D65776F726B2E73656375726974792E636F72652E7573657264657461696C732E5573657224417574686F72697479436F6D70617261746F720000000000000230020000787077087071007E001E);SETFOREIGN_KEY_CHECKS=1;

系统用户表，主要包含用户信息，密码采用BCryptPasswordEncoder加密方法encode后的结果。

/*NavicatPremiumDataTransferSourceServer:win-localSourceServerType:MySQLSourceServerVersion:50737SourceHost:localhost:3306SourceSchema:oauth2TargetServerType:MySQLTargetServerVersion:50737FileEncoding:65001*/SETNAMESutf8mb4;SETFOREIGN_KEY_CHECKS=0;--------------------------------Tablestructureforsys_user------------------------------DROPTABLEIFEXISTS`sys_user`;CREATETABLE`sys_user`(`id`bigint(20)UNSIGNEDNOTNULLAUTO_INCREMENT,`user_name`varchar(255)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULL,`pass_word`varchar(255)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULL,`nick_name`varchar(255)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULL,`sex`int(2)NULLDEFAULTNULL,`phone`varchar(255)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULL,`enable`int(2)NULLDEFAULTNULL,`email`varchar(255)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULL,`avatar`varchar(255)CHARACTERSETutf8COLLATEutf8_general_ciNULLDEFAULTNULL,`create_time`datetime(0)NULLDEFAULTNULL,`account_expired`tinyint(1)UNSIGNEDNULLDEFAULT0COMMENT'账号是否失效',`account_locked`tinyint(1)UNSIGNEDNULLDEFAULT0COMMENT'账号是否被锁定',PRIMARYKEY(`id`)USINGBTREE,UNIQUEINDEX`user_name`(`user_name`)USINGBTREE)ENGINE=InnoDBAUTO_INCREMENT=4CHARACTERSET=utf8COLLATE=utf8_general_ciROW_FORMAT=Compact;--------------------------------Recordsofsys_user------------------------------INSERTINTO`sys_user`VALUES(1,'admin','$2a$10$/aLAZlPQe','bingbing',1,'123',1,'123456@','','2022-04-2811:02:15',0,0);INSERTINTO`sys_user`VALUES(2,'bing','$2a$10$FgJjpqW0WihRn/aYXxh8QuO0vp2iGK268H/G8VmbF5kRXeK5b23UG','bing',1,'131',1,'','','2022-04-2818:25:32',0,0);INSERTINTO`sys_user`VALUES(3,'test01','4b15d2b3b671209e01202331881af5a6044d342dc624d29a53ed6b4402af6d61','test',1,'2312',1,'1212',NULL,NULL,0,0);SETFOREIGN_KEY_CHECKS=1;

核心依赖:spring-cloud-starter-oauth2,版本尽量选择较新的。

?xmlversion="1.0"encoding="UTF-8"?projectxmlns=""xmlns:xsi=""xsi:schemaLocation=""//groupIdartifactIdoauth2-project//version/parentartifactIdoauth2-server//versionnameoauth2-server/namedescriptionDemoprojectforSpringBoot////groupIdartifactIdspring-boot-starter-web/artifactId//groupIdartifactIdspring-boot-starter-data-jdbc/artifactId//groupIdartifactIdspring-boot-starter-actuator/artifactId/depencydepencygroupIdmysql/groupIdartifactIdmysql-connector-java//version/depency!--/groupIdartifactIdspring-boot-starter-data-redis/artifactId/depency!--整合/groupIdartifactIdmybatis-spring-boot-starter//version/depency!--mybatis-plus插件--/groupIdartifactIdmybatis-plus-boot-starter//version/depency!--集成druid连接池--/groupIdartifactIddruid-spring-boot-starter//version//groupIdartifactIdspring-boot-starter-test/artifactIdscopetest/scope/depencydepencygroupIdjunit/groupIdartifactIdjunit/artifactIdscopetest/scope//groupIdartifactIdlombok/artifactId//groupIdartifactIdspring-cloud-starter-alibaba-nacos-discovery/artifactId/depency!--/groupIdartifactIdspring-cloud-starter-oauth2//version//groupIdartifactIdgson/artifactId/depency//groupIdartifactIdspring-boot-maven-plugin/artifactId/pluginpluginartifactIdmaven-compiler-plugin/artifactIdconfigurationsource${}/sourcetarget${}/target/configuration/plugin/plugins/build/project

配置mysql数据源、nacos注册中心、redis、mybatis,注意配置,作为微服务名字注册到nacos里。

server:port:9010servlet:context-path:/spring:application:name:oauth2-server-servicedatasource:driver-class-name::jdbc:mysql://localhost:3306/oauth2?useUnicode=truecharacterEncoding=utf-8useSSL=falseserverTimezone=Asia/Shanghaiusername:rootpassword:rootcloud:nacos:discovery:server-addr:localhost:8848username:nacospassword:nacosredis:host:localhostport:6379password:redismybatismybatis:mapper-locations:-classpath:mapper/*.xml-classpath:com/**/mapper/*.xml"))//.autoApprove(true)//.redirectUris("")//.scopes("all")//.authorizedGrantTypes("password","implicit","client_credentials","authorization_code","refresh_token")//.accessTokenValiditySeconds(3600)//.refreshTokenValiditySeconds(86400);}@Overridepublicvoidconfigure(AuthorizationServerpointsConfigurerpoints)throwsException{//配置加载用户信息的服务//token落库(authenticationManager).userDetailsService(userDetailsService).tokenStore(redisTokenStore());}/***解决访问/oauth/check_token403的问题**@paramsecurity*@throwsException*/@Overridepublicvoidconfigure(AuthorizationServerSecurityConfigurersecurity)throwsException{//允许表单认证("permitAll()").checkTokenAccess("permitAll()").allowFormAuthenticationForClients();}}

auth-server-service对外提供的api也可以看做资源，同样支持授权和认证。

;;;;;/***资源服务器配置*/@Configuration@EnableResourceServerpublicclassResourceServerConfigextsResourceServerConfigurerAdapter{@Overridepublicvoidconfigure(HttpSecurityhttp)throwsException{().anyRequest().authenticated().and().requestMatchers().antMatchers("/api/**");//配置需要保护的资源路径}}

可以在WebSecurityConfigurerAdapter里configure方法里配置不需要拦截的url,比如一些登录、登出地址，默认登录页面用.formLogin()。

;;;;;;;;;/***SpringSecurity配置*/@Configuration@EnableWebSecuritypublicclassSecurityConfigextsWebSecurityConfigurerAdapter{@BeanpublicPasswordEncoderpasswordEncoder(){returnnewBCryptPasswordEncoder();}@Bean@OverridepublicAuthenticationManagerauthenticationManagerBean()throwsException{();}@Overridepublicvoidconfigure(HttpSecurityhttp)throwsException{().disable().httpBasic().and().authorizeRequests()//配置可以直接访问的页面.antMatchers("/login/**","/logout/**","/api/getCurrentUser").permitAll()//其余所有请求都要通过认证鉴权.anyRequest().authenticated().and()//配置springsecurity默认的登录页面.formLogin().permitAll();}}

当使用密码模式请求/oauth/token接口时，我们可以使用自己创建的数据库与oauth2进行集成，只需要重写UserDetailService里的loadUserByUserName(Stringusername)方法即可。

创建SecurityUser对象，使用mybatisplus插件映射到sys_user表。

;;;;;;;;;;;;;;;;;;;;/***自定义用户服务*/@ServicepublicclassCustomUserDetailServiceImplimplementsUserDetailsService{@AutowiredprivateUserServiceuserService;@OverridepublicUserDetailsloadUserByUsername(Stringusername)throwsUsernameNotFoundException{//基于数据库认证SecurityUseruserInfo=(username);if(!()){thrownewDisabledException(_DISABLED);}elseif(()){thrownewLockedException(_LOCKED);}elseif(()){thrownewAccountExpiredException(_EXPIRED);}//获取到所有的role,把role写入到simpleGrantedAuthority里。ListSimpleGrantedAuthorityauthorities=newArrayList();//Stringpassword=(());returnnewUser(username,(),authorities);}}

如果需要配置一些role,可以通过mybatis将role表里的角色添加到SimpleGrantedAuthority列表里。

上述操作如果无误后启动Auth-Server,能在nacos里发现注册成功即可。

如果还有不了解gateway的朋友，推荐抽点时间浏览一下以下的文章

Nacos源码系列(一)源码编译_Dream_it_possible！的博客-CSDN博客_nacos源码编译

本节目标是创建一个网关服务，实现请求能通过nacos转发到auth-server服务器上。

网关的作用是为了统一请求的入口，因此不建议在网关里写入大量的鉴权逻辑，新建一个springboot工程

?xmlversion="1.0"encoding="UTF-8"?projectxmlns=""xmlns:xsi=""xsi:schemaLocation=""//groupIdartifactIdspring-boot-starter-parent//versionrelativePath/!--lookupparentfromrepository--//groupIdartifactIdcloud-gateway//versionnamecloud-gateway/namedescriptionprojectforSpringBoot/////////groupIdartifactIdspring-cloud-starter-gateway/artifactId//groupIdartifactIdspring-boot-starter-data-redis-reactive/artifactId/depency!--整合断路器--/groupIdartifactIdspring-cloud-starter-netflix-hystrix//version/depency!--添加eureka客户端--!--depency--!--/groupId--!--artifactIdspring-cloud-starter-netflix-eureka-client/artifactId--!--//groupIdartifactIdspring-cloud-starter-alibaba-nacos-discovery/artifactId//groupIdartifactIdspring-boot-starter-test/artifactIdscopetest/scope/depency/d/groupIdartifactIdspring-cloud-depencies/artifactIdversion${}/versiontypepom/typescopeimport/scope//groupIdartifactIdspring-cloud-alibaba-depencies/artifactIdversion${}/versiontypepom/typescopeimport/scope/depency/depencies/depencyManagementbuildfinalNamemy-gateway/finalNameresourcesresourcedirectorysrc/main/java/directoryincludesinclude**/*.xml/include/includes/resourceresourcedirectorysrc/main/resources/directory/resource//groupIdartifactIdspring-boot-maven-plugin/artifactId//groupIdartifactIddockerfile-maven-plugin//versionexecutionsexecutionidbuild_image/idphasepackage/phasegoals!--如果package时不想用docker打包,就注释掉这个goal--goalbuild/goalgoalpush/goal/goals/execution/executionsconfigurationcontextDirectory${}/contextDirectoryuseMavenSettingsForAuthtrue/useMavenSettingsForAuthrepository${}/${}/${}/repositorytag${}/tagbuildArgsJAR_FILE${}.jar/JAR_FILE/buildArgs/configuration/plugin/plugins/build/project

添加auth-service-routte路由，注意将uri设置为lb://oauth2-server-service，因为通过nacos转发时，会根据服务名进行负载均衡式的请求。

可以在predicates里配置StripPrefix=1,转发到目标服务后会去掉Path里第一个"/"和第二个"/"里的内容。

server:port:9000spring:application:name:gatewaycloud:gateway:discovery:locator:enabled:truelower-case-service-id:trueroutes:-id:user-service调用失败需要进行重试的次数,比如因为网络原因出现502等statuses:BAD_GATEWAY-StripPrefix=1nacos:server-addr:localhost:8848discovery:server-addr:${}username:nacospassword:nacosnamespace:publiclogging:level::debug

启动网关服务,可以从控制台看到我们配置的路由和相关的规则。

首先在auth-server添加一个测试api:/api/hello，使用postman访问请求localhost:9000/auth-server/api/hello

​

解决用网关转发Lb时，一直报503的问题:

由于最新版springcloud的gateway不支持负载均衡功能，因此需要手动添加一个loadbalancer依赖：

/groupIdartifactIdspring-cloud-loadbalancer/artifactId/depency

重新刷新依赖、启动网关微服务，访问localhost:9000/auth-server/api/hello，响应代码为:401,说明请求正确的转发到auth-server:

在一个大型的分布式系统里，存在的微服务可能有几十个或者上百个，如何使用网关和oauthserver来保护，我们可以将普通微服务的未认证的请求全部由网关转发给鉴权服务器。

同样集成nacos,oauth2,mybatis等框架，运行起来后能在nacos中发现。

放了方便配置资源服务器，我们将所有需要认证的接口都带上/api前缀。

;;;;;/***资源服务器配置*/@Configuration@EnableResourceServerpublicclassResourceServerConfigextsResourceServerConfigurerAdapter{@Overridepublicvoidconfigure(HttpSecurityhttp)throwsException{().anyRequest().authenticated().and().requestMatchers().antMatchers("/api/**");//配置需要保护的资源路径}}

需要注意client-id和client-secret要与数据库里保持一致，可以选择使用客户端模式的进行认证，另外这个值配为:oauth2-server的/oauth/check_token。

在文件里添加以下配置:

=http://localhost:9000/auth-server/oauth/===asdfholu12josadf
username:bing
password:123456
4.客户端模式(client_credentials)
客户端模式是指客户端用自己的名义而不是用户的身份去向授权服务器申请令牌。
用postman请求localhost:9010/oauth/token,body里的参数为：
以上就是搭建统一鉴权的所有流程，4种模式都可以使用，可根据不同的场景进行甄选。
参考:
11.授权认证Oauth2_C--G的博客-CSDN博客_oauth2权限认证