OpenAM之OAuth2配置

灰太狼 2022-04-25 09:50 240阅读 0赞

## OpenAM OAuth2 ##

OpenAM是很强大的，OAuth2的配置也相对简单，分3步走

*  配置OAuth2 Application（=OAuth2 connect client / ≈OAuth2 agent）
 *  配置OAuth2 Service Provider（Configure OAuth2 authorization server）
 *  验证OAuth2的code/access\_token/tokeninfo是否正确

## 配置OAuth2 Application ##

1.进入顶层Top Level Realm，找到`Applications`\->`OAuth2`  
![在这里插入图片描述][20190531103006638.png]  
2.New一个`Agent`，这里看到的`Name`，就是`client_id`  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70]

3.这里的`Client password`要记住，也就是后面要用的`client_sercret`

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 1]  
4.把要授权跳转的网站，配置进去`Redirection_URIs`，这里我们用http://java.bejson.com/generator/ ![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 2]  
5.Scope可以设置几个，例如`mail`/`employeenumber`等  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 3]  
\*。至于Scope怎么获取，可以参考以下方法，从`Subjects`里面打开找到你的用户，然后修改，然后使用Chrome的F12查看元素，`EntityEdit.XXX`就是想要的`Scope`了，这个值后面`tokeninfo`的时候会获取到。  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 4]

## 配置OAuth2 Service Provider ##

1.`DashBoard`有个`Common Tasks`，找到一个`Configure OAuth Provider`的菜单，配置`Configure OAuth2`  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 5]

2.基本没什么可以选，默认即可。![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 6]  
3.正常保存后，可以再`Services`里面找到一个`OAuth2 Provider`  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 7]  
4.里面有些配置可以定制，不过作为demo一般默认就够了![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 8]

## 验证OAuth2的code/access\_token/tokeninfo是否正确 ##

1.首先是code，开始构建url，关键是几个字段

> [http://localhost:8099/openampro/oauth2/realms/root/authorize?client\_id=tomcatadmin&response\_type=code&scope=employeenumber&redirect\_uri=http://java.bejson.com/generator][http_localhost_8099_openampro_oauth2_realms_root_authorize_client_id_tomcatadmin_response_type_code_scope_employeenumber_redirect_uri_http_java.bejson.com_generator]

*  client\_id=tomcatadmin，前面agent/client里面的Name
 *  response\_type=code，这里是code，当然你可以粗暴一点设置为token直接获取access\_token
 *  scope=employeenumber，相当于你要tokeninfo可以获取的信息
 *  redirect\_uri=http://java.bejson.com/generator 必须是配置再重定向uris里面的地址

2.跳转并获取Code

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 9]  
3.从地址提取`code`为`de7f03c5-a72c-4d74-acae-b7671fbbeb19`  
![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 10]

4.使用Postman构造`POST`请求，获取`ACCESS_TOKEN`

*  url :

> [http://localhost:8099/openampro/oauth2/realms/root/access\_token][http_localhost_8099_openampro_oauth2_realms_root_access_token]

*  参数：

> client\_id:tomcatadmin  
> client\_secret:tomcat123  
> code:`de7f03c5-a72c-4d74-acae-b7671fbbeb19`  
> grant\_type:authorization\_code  
> redirect\_uri:[http://java.bejson.com/generator][http_java.bejson.com_generator]

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 11]

5.使用Postman构造`GET`请求，获取`TOKEN INFO`

> [http://localhost:8099/openampro/oauth2/realms/root/tokeninfo?access\_token=][http_localhost_8099_openampro_oauth2_realms_root_tokeninfo_access_token]`5afab977-64b0-4480-83cb-40b140aae1ed`

![在这里插入图片描述][watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 12]

## Summary ##

到此，一个简单的OpenAM-OAuth2的构建（`redirectUrl->code->accessToken->tokenInfo`）已经完成，但是这只是一个开始，还有更复杂的配置，更复杂的授权机制，还有LDAP/Subjects同步，Scope设置等等内容需要探索。

[20190531103006638.png]: /images/20220125/efe1fa3ee81a4833b98b0a09bd3d1486.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70]: /images/20220125/e06361e046df4c9ab57b0ca9e90bcb1f.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 1]: /images/20220125/b731308994a24bd0bca75590f2946cea.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 2]: /images/20220125/827f95bc68434e82b7979f819e99c2c3.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 3]: /images/20220125/84cc0fa2aa7a4631bae307345ce37742.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 4]: /images/20220125/8ba4ccdf5bb14cffb67f0fe569fd0fc4.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 5]: /images/20220125/7f4e84f1a0c24d16be2b2fba7bdd2410.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 6]: /images/20220125/4d64fb8cae05470ea9d5a803ac387f15.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 7]: /images/20220125/a0d236466d864cf3b22924eb2a90114b.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 8]: /images/20220125/dafa0a62f23748139e18f478a87fd8c1.png
[http_localhost_8099_openampro_oauth2_realms_root_authorize_client_id_tomcatadmin_response_type_code_scope_employeenumber_redirect_uri_http_java.bejson.com_generator]: http://localhost:8099/openampro/oauth2/realms/root/authorize?client_id=tomcatadmin&response_type=code&scope=employeenumber&redirect_uri=http://java.bejson.com/generator
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 9]: /images/20220125/3ac7902fcadf41dabeb89065fba7eb1b.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 10]: /images/20220125/667015ec2b4940119c519f865b17a796.png
[http_localhost_8099_openampro_oauth2_realms_root_access_token]: http://localhost:8099/openampro/oauth2/realms/root/access_token
[http_java.bejson.com_generator]: http://java.bejson.com/generator
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 11]: /images/20220125/de428a87f8e04c75b01297ec3875b84b.png
[http_localhost_8099_openampro_oauth2_realms_root_tokeninfo_access_token]: http://localhost:8099/openampro/oauth2/realms/root/tokeninfo?access_token=
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly96aGVuZ2thaS5ibG9nLmNzZG4ubmV0_size_16_color_FFFFFF_t_70 12]: /images/20220125/a497a2cb1f6549a1a5a51cf28e4bdd55.png