lsm/sa-token
1
0
Fork 0
mirror of https://gitee.com/dromara/sa-token.git synced 2025-09-18 17:48:03 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Sa-OAuth2 模块密码式新增 client_secret 参数校验

Browse Source
This commit is contained in:
click33
2022-08-23 16:43:17 +08:00
parent 31462217b4
commit 9d6ce502c1
5 changed files with 40 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
sa-token-demo/sa-token-demo-oauth2-client/src/main/java/com/pj/oauth2/SaOAuthClientController.java
View File

@@ -94,6 +94,7 @@ public class SaOAuthClientController {
String str = OkHttps.sync(serverUrl + "/oauth2/token")
.addBodyPara("grant_type", "password")
.addBodyPara("client_id", clientId)
.addBodyPara("client_secret", clientSecret)
.addBodyPara("username", username)
.addBodyPara("password", password)
.post()

2
sa-token-demo/sa-token-demo-oauth2-client/src/main/resources/templates/index.html
View File

@@ -76,7 +76,7 @@
账号:<input name="username">
密码:<input name="password">
<button onclick="passwordLogin()">登录</button>
<code>http://sa-oauth-server.com:8001/oauth2/token?grant_type=password&client_id={value}&username={value}&password={value}</code>
<code>http://sa-oauth-server.com:8001/oauth2/token?grant_type=password&client_id={value}&client_secret={value}&username={value}&password={value}</code>
<br>
<h3>模式四凭证式Client Credentials</h3>

15
sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/logic/SaOAuth2Handle.java
View File

@@ -255,30 +255,31 @@ public class SaOAuth2Handle {
String username = req.getParamNotNull(Param.username);
String password = req.getParamNotNull(Param.password);
String clientId = req.getParamNotNull(Param.client_id);
String clientSecret = req.getParamNotNull(Param.client_secret);
String scope = req.getParam(Param.scope, "");
// 2、校验 ClientScope
SaOAuth2Util.checkContract(clientId, scope);
// 2、校验 ClientScope 和 scope
SaOAuth2Util.checkClientSecretAndScope(clientId, clientSecret, scope);
// 3、防止因前端误传token造成逻辑干扰
SaHolder.getStorage().set(StpUtil.stpLogic.splicingKeyJustCreatedSave(), "no-token");
// SaHolder.getStorage().set(StpUtil.stpLogic.splicingKeyJustCreatedSave(), "no-token");
// 4、调用API 开始登录,如果没能成功登录,则直接退出
// 3、调用API 开始登录,如果没能成功登录,则直接退出
Object retObj = cfg.getDoLoginHandle().apply(username, password);
if(StpUtil.isLogin() == false) {
return retObj;
}
// 5、构建 ra对象
// 4、构建 ra对象
RequestAuthModel ra = new RequestAuthModel();
ra.clientId = clientId;
ra.loginId = StpUtil.getLoginId();
ra.scope = scope;
// 7、生成 Access-Token
// 5、生成 Access-Token
AccessTokenModel at = SaOAuth2Util.generateAccessToken(ra, true);
// 8、返回 Access-Token
// 6、返回 Access-Token
return SaResult.data(at.toLineMap());
}

19
sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/logic/SaOAuth2Template.java
View File

@@ -396,6 +396,25 @@ public class SaOAuth2Template {
SaOAuth2Exception.throwBy(cm.clientSecret == null || cm.clientSecret.equals(clientSecret) == false, "无效client_secret: " + clientSecret);
return cm;
}
/**
* 校验clientId 与 clientSecret 是否正确,并且是否签约了指定 scopes
* @param clientId 应用id
* @param clientSecret 秘钥
* @param scopes 权限(多个用逗号隔开)
* @return SaClientModel对象
*/
public SaClientModel checkClientSecretAndScope(String clientId, String clientSecret, String scopes) {
// 先校验 clientSecret
SaClientModel cm = checkClientSecret(clientId, clientSecret);
// 再校验 是否签约
List<String> clientScopeList = SaFoxUtil.convertStringToList(cm.contractScope);
List<String> scopelist = SaFoxUtil.convertStringToList(scopes);
if(clientScopeList.containsAll(scopelist) == false) {
throw new SaOAuth2Exception("请求的Scope暂未签约");
}
// 返回数据
return cm;
}
/**
* 校验:使用 code 获取 token 时提供的参数校验
* @param code 授权码

11
sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/logic/SaOAuth2Util.java
View File

@@ -207,6 +207,17 @@ public class SaOAuth2Util {
return saOAuth2Template.checkClientSecret(clientId, clientSecret);
}
/**
* 校验clientId 与 clientSecret 是否正确,并且是否签约了指定 scopes
* @param clientId 应用id
* @param clientSecret 秘钥
* @param scopes 权限(多个用逗号隔开)
* @return SaClientModel对象
*/
public static SaClientModel checkClientSecretAndScope(String clientId, String clientSecret, String scopes) {
return saOAuth2Template.checkClientSecretAndScope(clientId, clientSecret, scopes);
}
/**
* 校验:使用 code 获取 token 时提供的参数校验
* @param code 授权码