隨著互聯(lián)網(wǎng)的普及���,合作共贏成了一個(gè)越來越受重視的話題����。一些成熟的互聯(lián)網(wǎng)企業(yè)��,需 要與眾多的第三方企業(yè)進(jìn)行合作���,以便為自己的用戶提供豐富的個(gè)性化應(yīng)用�����。在這個(gè)過程中�, 企業(yè)需要將自身的一些能力(API)開放給第三方合作企業(yè)�����,具體的實(shí)現(xiàn)形式一般是搭建一個(gè) 專門的開放平臺(tái)系統(tǒng)。無論企業(yè)通過何種方式來開放自身的能力�,授權(quán)都是一個(gè)繞不開的話題。本書將通過 8 章 來詳細(xì)對(duì)授權(quán)的相關(guān)內(nèi)容進(jìn)行闡述��,主要內(nèi)容包括 OAuth 2 概述����、開放平臺(tái)整體架構(gòu)、實(shí)戰(zhàn)中 的授權(quán)模式�、OpenID 從理論到實(shí)戰(zhàn)、授權(quán)碼授權(quán)模式回調(diào)地址實(shí)戰(zhàn)����、簽名、授權(quán)信息�����、基于 Spring Security 的 OAuth 2 實(shí)戰(zhàn)����。
糜鵬程,京東零售擔(dān)任高級(jí)工程師����,主要負(fù)責(zé)開發(fā)平臺(tái)相關(guān)的研發(fā)工作����,對(duì)開放平臺(tái)中各系統(tǒng)的具體實(shí)現(xiàn)有深入研究�,目前擔(dān)任開發(fā)和維護(hù)的JOS網(wǎng)關(guān)系統(tǒng),日活調(diào)用量50億左右���。
目錄
第1章 OAuth2概述......................................................................1
1.1
1.2
OAuth 2 的定義 ·········································································.2 1.1.1 官方定義.................................................................................................................2 1.1.2 開放平臺(tái)中的定義 .................................................................................................2 OAuth 2 的四種授權(quán)模式 ·····························································.3
1.2.1 隱式授權(quán)模式.........................................................................................................3
1.2.2 授權(quán)碼授權(quán)模式 .....................................................................................................5
1.2.3 授信客戶端密碼模式 ...........................................................................................10
1.2.4 授信客戶端模式 ...................................................................................................12
第2章 開放平臺(tái)整體架構(gòu).............................................................15
2.1 2.2
2.3
2.4
功能架構(gòu) ···············································································.16 API 網(wǎng)關(guān)系統(tǒng)··········································································.18
2.2.1 API 整體架構(gòu) .......................................................................................................18
2.2.2 API 網(wǎng)關(guān)與授權(quán)系統(tǒng)的關(guān)系................................................................................19
控制臺(tái)系統(tǒng) ············································································.20 2.3.1 功能概述...............................................................................................................20
2.3.2 控制臺(tái)系統(tǒng)與授權(quán)系統(tǒng)的關(guān)系 ...........................................................................20
服務(wù)市場 ···············································································.21
第3章 實(shí)戰(zhàn)中的授權(quán)模式.............................................................22
3.1
3.2 3.3
授權(quán)碼授權(quán)模式的應(yīng)用 ·····························································.23
3.1.1 獲取 code ..............................................................................................................23
3.1.2 獲取授權(quán)信息.......................................................................................................27
3.1.3 刷新授權(quán)信息.......................................................................................................30
用戶名密碼授權(quán)碼授權(quán)模式的應(yīng)用 ··············································.31 授信客戶端密碼模式的應(yīng)用 ·······················································.333.4
3.5
授信客戶端模式的應(yīng)用 ·····························································.34
3.4.1 標(biāo)準(zhǔn)授信客戶端模式 ...........................................................................................34
3.4.2 自研應(yīng)用...............................................................................................................35
3.4.3 自研授信客戶端授權(quán) ...........................................................................................35
插件化授權(quán)模式的應(yīng)用 ·····························································.36 3.5.1 普通應(yīng)用場景.......................................................................................................37 3.5.2 官方應(yīng)用場景.......................................................................................................42
第4章 OpenID從理論到實(shí)戰(zhàn).......................................................48
4.1
4.2
4.3
4.4
4.5
OpenID 概述···········································································.49
4.1.1 OpenID 定義 .........................................................................................................49
4.1.2 OpenID 使用流程 .................................................................................................50
4.1.3 OpenID 與 OAuth 2 ..............................................................................................52
基于自增 ID 的 OpenID 方案·······················································.53
4.2.1 概述.......................................................................................................................53
4.2.2 基于單機(jī)模式下自增 ID 的實(shí)現(xiàn)方案 .................................................................54
4.2.3 基于雪花算法的 OpenID 生成方案 ....................................................................55
4.2.4 基于自增 ID 的 OpenID 生成方案總結(jié) ..............................................................56
基于 Hash 算法的 OpenID 方案····················································.57
4.3.1 概述.......................................................................................................................57
4.3.2 Hash 算法簡介......................................................................................................57
4.3.3 使用 Hash 函數(shù)計(jì)算 OpenID ...............................................................................58
4.3.4 基于 Hash 算法的 OpenID 方案總結(jié) ..................................................................64
基于對(duì)稱加密算法的 OpenID 方案 ···············································.64
4.4.1 概述.......................................................................................................................64
4.4.2 對(duì)稱加密算法簡介 ...............................................................................................64
4.4.3 基于對(duì)稱加密算法的 OpenID 實(shí)踐 ....................................................................66
4.4.4 基于對(duì)稱加密算法的 OpenID 方案總結(jié) ............................................................68
基于嚴(yán)格單調(diào)函數(shù)的 OpenID 方案 ···············································.69
4.5.1 相關(guān)概念...............................................................................................................69
4.5.2 基于嚴(yán)格單調(diào)函數(shù)的 OpenID 實(shí)踐 ....................................................................70
4.5.3 基于嚴(yán)格單調(diào)函數(shù)的 OpenID 方案總結(jié) ............................................................744.6
4.7 4.8
基于向量加法的 OpenID 方案 ·····················································.75
4.6.1 UUID 簡介............................................................................................................75
4.6.2 基于向量加法的 OpenID 實(shí)踐 ............................................................................76
4.6.3 矩陣乘法思路擴(kuò)展 ...............................................................................................79
OpenID 小結(jié)···········································································.81 UnionID·················································································.83
4.8.1 UnionID 簡介........................................................................................................83
4.8.2 UnionID 劃分方案................................................................................................84
4.8.3 基于自增 ID 的 UnionID 方案.............................................................................86
4.8.4 基于 Hash 算法的 UnionID 方案.........................................................................88
4.8.5 基于對(duì)稱加密算法的 UnionID 方案 ...................................................................90
4.8.6 基于嚴(yán)格單調(diào)函數(shù)的 UnionID 方案 ...................................................................92
4.8.7 基于向量加法的 UnionID 方案 ...........................................................................93
4.8.8 UnionID 總結(jié)........................................................................................................95
第5章 授權(quán)碼授權(quán)模式回調(diào)地址實(shí)戰(zhàn)...........................................97
VIII
5.1 5.2
5.3
5.4
5.5
普通回調(diào)地址 ·········································································.98 字符替換回調(diào)地址 ···································································.99
5.2.1 場景引入...............................................................................................................99
5.2.2 解決方案.............................................................................................................101
5.2.3 基于字符替換的回調(diào)地址方案總結(jié) .................................................................106
自定義函數(shù)回調(diào)地址 ·······························································.106
5.3.1 FaaS 簡介............................................................................................................106
5.3.2 FaaS 實(shí)踐............................................................................................................108
5.3.3 自定義函數(shù)回調(diào)地址實(shí)踐 .................................................................................109
code 生成方案 ········································································.112
5.4.1 基于隨機(jī)數(shù)生成 code 方案................................................................................112
5.4.2 解決隨機(jī) code 沖突 ...........................................................................................114
5.4.3 基于 UUID 生成 code ........................................................................................116
code 消費(fèi)··············································································.117
5.5.1 標(biāo)準(zhǔn) code 消費(fèi)策略 ...........................................................................................117
5.5.2 code 消費(fèi)策略優(yōu)化 ............................................................................................118第6章 簽名................................................................................124
6.1 6.2 6.3 6.4
6.5
簽名算法引入 ········································································.125 非對(duì)稱加密簡介 ·····································································.127 進(jìn)一步探討簽名算法 ·······························································.128 常見的簽名算法 ·····································································.129 6.4.1 非對(duì)稱簽名算法.................................................................................................129 6.4.2 開放平臺(tái)實(shí)踐中使用的簽名算法 .....................................................................130 開放平臺(tái)簽名實(shí)例 ··································································.141
第7章 授權(quán)信息.........................................................................146
7.1
7.2
7.3
7.4
7.5
access_token 簡介····································································.147
7.1.1 短生命周期的可刷新 access_token ...................................................................147
7.1.2 短生命周期的無刷新 access_token ...................................................................148
7.1.3 永不過期的 access_token ...................................................................................149
隨機(jī)字符實(shí)現(xiàn) ········································································.150
7.2.1 短生命周期的可刷新 access_token ...................................................................150
7.2.2 短生命周期的無刷新 access_token ...................................................................156
7.2.3 永不過期的 access_token ...................................................................................158
7.2.4 基于隨機(jī)字符的 access_token 方案總結(jié) ..........................................................160
7.2.5 隨機(jī)字符方案的缺陷及防御 .............................................................................160
JWT 實(shí)現(xiàn)··············································································.168
7.3.1 JWT 簡介 ............................................................................................................168
7.3.2 JWT 簡單實(shí)戰(zhàn) ....................................................................................................169
7.3.3 基于 JWT 實(shí)現(xiàn)的授權(quán)信息 ...............................................................................175
7.3.4 基于 JWT 的 access_token 方案總結(jié) ................................................................179
權(quán)限包與 Scope ······································································.180
7.4.1 Scope 概念引入 ..................................................................................................180
7.4.2 開放平臺(tái)中的 Scope 實(shí)現(xiàn)細(xì)節(jié) .........................................................................181
SDK ····················································································.183
第8章 基于SpringSecurity的OAuth2實(shí)戰(zhàn).............................190 8.1 隱式授權(quán)模式 ········································································.1918.1.1 授權(quán)系統(tǒng)的相關(guān)實(shí)現(xiàn) .........................................................................................191
8.1.2 開放網(wǎng)關(guān)的相關(guān)實(shí)現(xiàn) .........................................................................................195
8.1.3 相關(guān)實(shí)現(xiàn)的驗(yàn)證.................................................................................................196
8.2 授權(quán)碼授權(quán)模式 ·····································································.198
8.2.1 授權(quán)系統(tǒng)的相關(guān)實(shí)現(xiàn) .........................................................................................198
8.2.2 開放網(wǎng)關(guān)的相關(guān)實(shí)現(xiàn) .........................................................................................201
8.2.3 相關(guān)實(shí)現(xiàn)的驗(yàn)證.................................................................................................203
8.3 授信客戶端密碼模式 ·······························································.208
8.3.1 授權(quán)系統(tǒng)的相關(guān)實(shí)現(xiàn) .........................................................................................209
8.3.2 開放網(wǎng)關(guān)的相關(guān)實(shí)現(xiàn) .........................................................................................211
8.3.3 相關(guān)實(shí)現(xiàn)的驗(yàn)證.................................................................................................213
8.4 授信客戶端模式 ·····································································.215
8.4.1 授權(quán)系統(tǒng)的相關(guān)實(shí)現(xiàn) .........................................................................................216
8.4.2 開放網(wǎng)關(guān)的相關(guān)實(shí)現(xiàn) .........................................................................................218
8.4.3 相關(guān)實(shí)現(xiàn)的驗(yàn)證.................................................................................................220
8.5 四種授權(quán)模式總結(jié) ··································································.221 8.6 JWT····················································································.221
8.6.1 授權(quán)系統(tǒng)的相關(guān)實(shí)現(xiàn) .........................................................................................222
8.6.2 開放網(wǎng)關(guān)的相關(guān)實(shí)現(xiàn) .........................................................................................226
8.6.3 相關(guān)實(shí)現(xiàn)的驗(yàn)證.................................................................................................227
書單推薦
