From 60b7c9036fa9f05120aa9b2a5220ad73b2c54581 Mon Sep 17 00:00:00 2001 From: click33 <2393584716@qq.com> Date: Sun, 25 Aug 2024 20:00:05 +0800 Subject: [PATCH] =?UTF-8?q?=E9=87=8D=E6=9E=84=E6=94=B9=E5=90=8D=20PastToke?= =?UTF-8?q?n=20->=20LowerClientToken?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/resources/templates/index.html | 2 +- .../oauth2/config/SaOAuth2ServerConfig.java | 18 ++++---- .../dev33/satoken/oauth2/dao/SaOAuth2Dao.java | 45 ++++++++++--------- .../SaOAuth2DataGenerateDefaultImpl.java | 14 +++--- .../data/model/loader/SaClientModel.java | 20 ++++----- .../oauth2/template/SaOAuth2Template.java | 14 +++--- .../satoken/oauth2/template/SaOAuth2Util.java | 6 +-- .../dev33/satoken/dao/SaSessionForJson.java | 1 - 8 files changed, 61 insertions(+), 59 deletions(-) diff --git a/sa-token-demo/sa-token-demo-oauth2/sa-token-demo-oauth2-client/src/main/resources/templates/index.html b/sa-token-demo/sa-token-demo-oauth2/sa-token-demo-oauth2-client/src/main/resources/templates/index.html index adc3bd0a..0e8d6858 100644 --- a/sa-token-demo/sa-token-demo-oauth2/sa-token-demo-oauth2-client/src/main/resources/templates/index.html +++ b/sa-token-demo/sa-token-demo-oauth2/sa-token-demo-oauth2-client/src/main/resources/templates/index.html @@ -82,7 +82,7 @@

模式四:凭证式(Client Credentials)

以上三种模式获取的都是用户的 Access-Token,代表用户对第三方应用的授权,在OAuth2.0中还有一种针对 Client级别的授权, 即:Client-Token,代表应用自身的资源授权

-

Client-Token具有延迟作废特性,即:在每次获取最新Client-Token的时候,旧Client-Token不会立即过期,而是作为Past-Token再次 +

Client-Token具有延迟作废特性,即:在每次获取最新Client-Token的时候,旧Client-Token不会立即过期,而是作为Lower-Client-Token再次 储存起来,资源请求方只要携带其中之一便可通过Token校验,这种特性保证了在大量并发请求时不会出现“新旧Token交替造成的授权失效”, 保证了服务的高可用

diff --git a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/config/SaOAuth2ServerConfig.java b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/config/SaOAuth2ServerConfig.java index 3791c939..abdbc03d 100644 --- a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/config/SaOAuth2ServerConfig.java +++ b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/config/SaOAuth2ServerConfig.java @@ -60,8 +60,8 @@ public class SaOAuth2ServerConfig implements Serializable { /** Client-Token 保存的时间(单位:秒) 默认两个小时 */ public long clientTokenTimeout = 60 * 60 * 2; - /** Past-Client-Token 保存的时间(单位:秒) 默认为 -1,代表延续 Client-Token 有效期 */ - public long pastClientTokenTimeout = -1; + /** Lower-Client-Token 保存的时间(单位:秒) 默认为 -1,代表延续 Client-Token 有效期 */ + public long lowerClientTokenTimeout = -1; /** 默认 openid 生成算法中使用的摘要前缀 */ public String openidDigestPrefix = SaOAuth2Consts.OPENID_DEFAULT_DIGEST_PREFIX; @@ -228,18 +228,18 @@ public class SaOAuth2ServerConfig implements Serializable { } /** - * @return pastClientTokenTimeout + * @return lowerClientTokenTimeout */ - public long getPastClientTokenTimeout() { - return pastClientTokenTimeout; + public long getLowerClientTokenTimeout() { + return lowerClientTokenTimeout; } /** - * @param pastClientTokenTimeout 要设置的 pastClientTokenTimeout + * @param lowerClientTokenTimeout 要设置的 lowerClientTokenTimeout * @return 对象自身 */ - public SaOAuth2ServerConfig setPastClientTokenTimeout(long pastClientTokenTimeout) { - this.pastClientTokenTimeout = pastClientTokenTimeout; + public SaOAuth2ServerConfig setLowerClientTokenTimeout(long lowerClientTokenTimeout) { + this.lowerClientTokenTimeout = lowerClientTokenTimeout; return this; } @@ -379,7 +379,7 @@ public class SaOAuth2ServerConfig implements Serializable { ", accessTokenTimeout=" + accessTokenTimeout + ", refreshTokenTimeout=" + refreshTokenTimeout + ", clientTokenTimeout=" + clientTokenTimeout + - ", pastClientTokenTimeout=" + pastClientTokenTimeout + + ", lowerClientTokenTimeout=" + lowerClientTokenTimeout + ", openidDigestPrefix='" + openidDigestPrefix + ", higherScope='" + higherScope + ", lowerScope='" + lowerScope + diff --git a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/dao/SaOAuth2Dao.java b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/dao/SaOAuth2Dao.java index f3110717..803c8b03 100644 --- a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/dao/SaOAuth2Dao.java +++ b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/dao/SaOAuth2Dao.java @@ -23,10 +23,13 @@ import cn.dev33.satoken.oauth2.data.model.AccessTokenModel; import cn.dev33.satoken.oauth2.data.model.ClientTokenModel; import cn.dev33.satoken.oauth2.data.model.CodeModel; import cn.dev33.satoken.oauth2.data.model.RefreshTokenModel; +import cn.dev33.satoken.oauth2.data.model.loader.SaClientModel; import cn.dev33.satoken.util.SaFoxUtil; import java.util.List; +import static cn.dev33.satoken.oauth2.template.SaOAuth2Util.checkClientModel; + /** * Sa-Token OAuth2 数据持久层 * @@ -126,20 +129,20 @@ public interface SaOAuth2Dao { } /** - * 持久化:Past-Token-索引 + * 持久化:Lower-Client-Token 索引 * @param ct / */ - default void savePastTokenIndex(ClientTokenModel ct) { + default void saveLowerClientTokenIndex(ClientTokenModel ct) { if(ct == null) { return; } long ttl = ct.getExpiresIn(); - // TODO PastToken ttl 是否有必要单独配置个字段? -// SaClientModel cm = checkClientModel(ct.clientId); -// if (cm.getPastClientTokenTimeout() != -1) { -// ttl = cm.getPastClientTokenTimeout(); -// } - getSaTokenDao().set(splicingPastTokenIndexKey(ct.clientId), ct.clientToken, ttl); + // 如果此 client 单独配置了 Lower-Client-Token 的 TTL,则使用单独配置 + SaClientModel cm = checkClientModel(ct.clientId); + if (cm.getLowerClientTokenTimeout() != -1) { + ttl = cm.getLowerClientTokenTimeout(); + } + getSaTokenDao().set(splicingLowerClientTokenIndexKey(ct.clientId), ct.clientToken, ttl); } /** @@ -248,20 +251,20 @@ public interface SaOAuth2Dao { } /** - * 删除:Past-Token - * @param pastToken 值 + * 删除:Lower-Client-Token + * @param lowerClientToken 值 */ - default void deletePastToken(String pastToken) { + default void deleteLowerClientToken(String lowerClientToken) { // 其实就是删除 ClientToken - deleteClientToken(pastToken); + deleteClientToken(lowerClientToken); } /** - * 删除:Past-Token索引 + * 删除:Lower-Client-Token索引 * @param clientId 应用id */ - default void deletePastTokenIndex(String clientId) { - getSaTokenDao().delete(splicingPastTokenIndexKey(clientId)); + default void deleteLowerClientTokenIndex(String clientId) { + getSaTokenDao().delete(splicingLowerClientTokenIndexKey(clientId)); } /** @@ -372,12 +375,12 @@ public interface SaOAuth2Dao { } /** - * 获取:Past-Token Value + * 获取:Lower-Client-Token Value * @param clientId 应用id * @return . */ - default String getPastTokenValue(String clientId) { - return getSaTokenDao().get(splicingPastTokenIndexKey(clientId)); + default String getLowerClientTokenValue(String clientId) { + return getSaTokenDao().get(splicingLowerClientTokenIndexKey(clientId)); } /** @@ -482,12 +485,12 @@ public interface SaOAuth2Dao { } /** - * 拼接key:Past-Token 索引 + * 拼接key:Lower-Client-Token 索引 * @param clientId clientId * @return key */ - default String splicingPastTokenIndexKey(String clientId) { - return getSaTokenConfig().getTokenName() + ":oauth2:past-token-index:" + clientId; + default String splicingLowerClientTokenIndexKey(String clientId) { + return getSaTokenConfig().getTokenName() + ":oauth2:lower-client-token-index:" + clientId; } /** diff --git a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/generate/SaOAuth2DataGenerateDefaultImpl.java b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/generate/SaOAuth2DataGenerateDefaultImpl.java index 33ad2055..36c1e9fe 100644 --- a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/generate/SaOAuth2DataGenerateDefaultImpl.java +++ b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/generate/SaOAuth2DataGenerateDefaultImpl.java @@ -204,17 +204,17 @@ public class SaOAuth2DataGenerateDefaultImpl implements SaOAuth2DataGenerate { SaOAuth2Dao dao = SaOAuth2Manager.getDao(); - // 1、删掉旧 Past-Token - dao.deleteClientToken(dao.getPastTokenValue(clientId)); + // 1、删掉旧 Lower-Client-Token + dao.deleteClientToken(dao.getLowerClientTokenValue(clientId)); - // 2、将旧Client-Token 标记为新 Past-Token + // 2、将旧Client-Token 标记为新 Lower-Client-Token ClientTokenModel oldCt = dao.getClientToken(dao.getClientTokenValue(clientId)); - dao.savePastTokenIndex(oldCt); + dao.saveLowerClientTokenIndex(oldCt); - // 2.5、如果配置了 PastClientToken 的 ttl ,则需要更新一下 + // 2.5、如果配置了 Lower-Client-Token 的 ttl ,则需要更新一下 SaClientModel cm = SaOAuth2Manager.getDataLoader().getClientModelNotNull(clientId); - if(oldCt != null && cm.getPastClientTokenTimeout() != -1) { - oldCt.expiresTime = System.currentTimeMillis() + (cm.getPastClientTokenTimeout() * 1000); + if(oldCt != null && cm.getLowerClientTokenTimeout() != -1) { + oldCt.expiresTime = System.currentTimeMillis() + (cm.getLowerClientTokenTimeout() * 1000); dao.saveClientToken(oldCt); } diff --git a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/model/loader/SaClientModel.java b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/model/loader/SaClientModel.java index 46e64344..393da7c8 100644 --- a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/model/loader/SaClientModel.java +++ b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/model/loader/SaClientModel.java @@ -70,8 +70,8 @@ public class SaClientModel implements Serializable { /** 单独配置此Client:Client-Token 保存的时间(单位秒) [默认取全局配置] */ public long clientTokenTimeout; - /** 单独配置此Client:Past-Client-Token 保存的时间(单位:秒) [默认取全局配置] */ - public long pastClientTokenTimeout; + /** 单独配置此Client:Lower-Client-Token 保存的时间(单位:秒) [默认取全局配置] */ + public long lowerClientTokenTimeout; public SaClientModel() { @@ -80,7 +80,7 @@ public class SaClientModel implements Serializable { this.accessTokenTimeout = config.getAccessTokenTimeout(); this.refreshTokenTimeout = config.getRefreshTokenTimeout(); this.clientTokenTimeout = config.getClientTokenTimeout(); - this.pastClientTokenTimeout = config.getPastClientTokenTimeout(); + this.lowerClientTokenTimeout = config.getLowerClientTokenTimeout(); } public SaClientModel(String clientId, String clientSecret, List contractScopes, List allowRedirectUris) { super(); @@ -236,18 +236,18 @@ public class SaClientModel implements Serializable { } /** - * @return 此Client:Past-Client-Token 保存的时间(单位:秒) [默认取全局配置] + * @return 此Client:Lower-Client-Token 保存的时间(单位:秒) [默认取全局配置] */ - public long getPastClientTokenTimeout() { - return pastClientTokenTimeout; + public long getLowerClientTokenTimeout() { + return lowerClientTokenTimeout; } /** - * @param pastClientTokenTimeout 单独配置此Client:Past-Client-Token 保存的时间(单位:秒) [默认取全局配置] + * @param lowerClientTokenTimeout 单独配置此Client:Lower-Client-Token 保存的时间(单位:秒) [默认取全局配置] * @return 对象自身 */ - public SaClientModel setPastClientTokenTimeout(long pastClientTokenTimeout) { - this.pastClientTokenTimeout = pastClientTokenTimeout; + public SaClientModel setLowerClientTokenTimeout(long lowerClientTokenTimeout) { + this.lowerClientTokenTimeout = lowerClientTokenTimeout; return this; } @@ -265,7 +265,7 @@ public class SaClientModel implements Serializable { ", accessTokenTimeout=" + accessTokenTimeout + ", refreshTokenTimeout=" + refreshTokenTimeout + ", clientTokenTimeout=" + clientTokenTimeout + - ", pastClientTokenTimeout=" + pastClientTokenTimeout + + ", lowerClientTokenTimeout=" + lowerClientTokenTimeout + '}'; } diff --git a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/template/SaOAuth2Template.java b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/template/SaOAuth2Template.java index 7479f24d..2e6a506c 100644 --- a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/template/SaOAuth2Template.java +++ b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/template/SaOAuth2Template.java @@ -628,17 +628,17 @@ public class SaOAuth2Template { } /** - * 回收 PastToken,根据索引: clientId + * 回收 Lower-Client-Token,根据索引: clientId * * @param clientId / */ - public void revokePastTokenByIndex(String clientId) { + public void revokeLowerClientTokenByIndex(String clientId) { SaOAuth2Dao dao = SaOAuth2Manager.getDao(); - // 删 pastToken - String pastToken = dao.getPastTokenValue(clientId); - if(pastToken != null) { - dao.deletePastToken(pastToken); - dao.deletePastTokenIndex(clientId); + // 删 Lower-Client-Token + String lowerClientToken = dao.getLowerClientTokenValue(clientId); + if(lowerClientToken != null) { + dao.deleteLowerClientToken(lowerClientToken); + dao.deleteLowerClientTokenIndex(clientId); } } diff --git a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/template/SaOAuth2Util.java b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/template/SaOAuth2Util.java index 4d667933..a59077e4 100644 --- a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/template/SaOAuth2Util.java +++ b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/template/SaOAuth2Util.java @@ -318,12 +318,12 @@ public class SaOAuth2Util { } /** - * 回收 PastToken,根据索引: clientId + * 回收 Lower-Client-Token,根据索引: clientId * * @param clientId / */ - public static void revokePastTokenByIndex(String clientId) { - SaOAuth2Manager.getTemplate().revokePastTokenByIndex(clientId); + public static void revokeLowerClientTokenByIndex(String clientId) { + SaOAuth2Manager.getTemplate().revokeLowerClientTokenByIndex(clientId); } } diff --git a/sa-token-plugin/sa-token-redisx/src/main/java/cn/dev33/satoken/dao/SaSessionForJson.java b/sa-token-plugin/sa-token-redisx/src/main/java/cn/dev33/satoken/dao/SaSessionForJson.java index 680230f9..f5a89f87 100644 --- a/sa-token-plugin/sa-token-redisx/src/main/java/cn/dev33/satoken/dao/SaSessionForJson.java +++ b/sa-token-plugin/sa-token-redisx/src/main/java/cn/dev33/satoken/dao/SaSessionForJson.java @@ -19,7 +19,6 @@ import cn.dev33.satoken.session.SaSession; import cn.dev33.satoken.util.SaFoxUtil; import org.noear.snack.ONode; -//todo: 不能删;为保持与旧的序列化兼容 /** * Snack3 定制版 SaSession,重写类型转换API *