随着互联网的普及,合作共赢成了一个越来越受重视的话题。一些成熟的互联网企业,需 要与众多的第三方企业进行合作,以便为自己的用户提供丰富的个性化应用。在这个过程中, 企业需要将自身的一些能力(API)开放给第三方合作企业,具体的实现形式一般是搭建一个 专门的开放平台系统。无论企业通过何种方式来开放自身的能力,授权都是一个绕不开的话题。本书将通过 8 章 来详细对授权的相关内容进行阐述,主要内容包括 OAuth 2 概述、开放平台整体架构、实战中 的授权模式、OpenID 从理论到实战、授权码授权模式回调地址实战、签名、授权信息、基于 Spring Security 的 OAuth 2 实战。
糜鹏程,京东零售担任高级工程师,主要负责开发平台相关的研发工作,对开放平台中各系统的具体实现有深入研究,目前担任开发和维护的JOS网关系统,日活调用量50亿左右。
目录
第1章 OAuth2概述......................................................................1
1.1
1.2
OAuth 2 的定义 ·········································································.2 1.1.1 官方定义.................................................................................................................2 1.1.2 开放平台中的定义 .................................................................................................2 OAuth 2 的四种授权模式 ·····························································.3
1.2.1 隐式授权模式.........................................................................................................3
1.2.2 授权码授权模式 .....................................................................................................5
1.2.3 授信客户端密码模式 ...........................................................................................10
1.2.4 授信客户端模式 ...................................................................................................12
第2章 开放平台整体架构.............................................................15
2.1 2.2
2.3
2.4
功能架构 ···············································································.16 API 网关系统··········································································.18
2.2.1 API 整体架构 .......................................................................................................18
2.2.2 API 网关与授权系统的关系................................................................................19
控制台系统 ············································································.20 2.3.1 功能概述...............................................................................................................20
2.3.2 控制台系统与授权系统的关系 ...........................................................................20
服务市场 ···············································································.21
第3章 实战中的授权模式.............................................................22
3.1
3.2 3.3
授权码授权模式的应用 ·····························································.23
3.1.1 获取 code ..............................................................................................................23
3.1.2 获取授权信息.......................................................................................................27
3.1.3 刷新授权信息.......................................................................................................30
用户名密码授权码授权模式的应用 ··············································.31 授信客户端密码模式的应用 ·······················································.333.4
3.5
授信客户端模式的应用 ·····························································.34
3.4.1 标准授信客户端模式 ...........................................................................................34
3.4.2 自研应用...............................................................................................................35
3.4.3 自研授信客户端授权 ...........................................................................................35
插件化授权模式的应用 ·····························································.36 3.5.1 普通应用场景.......................................................................................................37 3.5.2 官方应用场景.......................................................................................................42
第4章 OpenID从理论到实战.......................................................48
4.1
4.2
4.3
4.4
4.5
OpenID 概述···········································································.49
4.1.1 OpenID 定义 .........................................................................................................49
4.1.2 OpenID 使用流程 .................................................................................................50
4.1.3 OpenID 与 OAuth 2 ..............................................................................................52
基于自增 ID 的 OpenID 方案·······················································.53
4.2.1 概述.......................................................................................................................53
4.2.2 基于单机模式下自增 ID 的实现方案 .................................................................54
4.2.3 基于雪花算法的 OpenID 生成方案 ....................................................................55
4.2.4 基于自增 ID 的 OpenID 生成方案总结 ..............................................................56
基于 Hash 算法的 OpenID 方案····················································.57
4.3.1 概述.......................................................................................................................57
4.3.2 Hash 算法简介......................................................................................................57
4.3.3 使用 Hash 函数计算 OpenID ...............................................................................58
4.3.4 基于 Hash 算法的 OpenID 方案总结 ..................................................................64
基于对称加密算法的 OpenID 方案 ···············································.64
4.4.1 概述.......................................................................................................................64
4.4.2 对称加密算法简介 ...............................................................................................64
4.4.3 基于对称加密算法的 OpenID 实践 ....................................................................66
4.4.4 基于对称加密算法的 OpenID 方案总结 ............................................................68
基于严格单调函数的 OpenID 方案 ···············································.69
4.5.1 相关概念...............................................................................................................69
4.5.2 基于严格单调函数的 OpenID 实践 ....................................................................70
4.5.3 基于严格单调函数的 OpenID 方案总结 ............................................................744.6
4.7 4.8
基于向量加法的 OpenID 方案 ·····················································.75
4.6.1 UUID 简介............................................................................................................75
4.6.2 基于向量加法的 OpenID 实践 ............................................................................76
4.6.3 矩阵乘法思路扩展 ...............................................................................................79
OpenID 小结···········································································.81 UnionID·················································································.83
4.8.1 UnionID 简介........................................................................................................83
4.8.2 UnionID 划分方案................................................................................................84
4.8.3 基于自增 ID 的 UnionID 方案.............................................................................86
4.8.4 基于 Hash 算法的 UnionID 方案.........................................................................88
4.8.5 基于对称加密算法的 UnionID 方案 ...................................................................90
4.8.6 基于严格单调函数的 UnionID 方案 ...................................................................92
4.8.7 基于向量加法的 UnionID 方案 ...........................................................................93
4.8.8 UnionID 总结........................................................................................................95
第5章 授权码授权模式回调地址实战...........................................97
VIII
5.1 5.2
5.3
5.4
5.5
普通回调地址 ·········································································.98 字符替换回调地址 ···································································.99
5.2.1 场景引入...............................................................................................................99
5.2.2 解决方案.............................................................................................................101
5.2.3 基于字符替换的回调地址方案总结 .................................................................106
自定义函数回调地址 ·······························································.106
5.3.1 FaaS 简介............................................................................................................106
5.3.2 FaaS 实践............................................................................................................108
5.3.3 自定义函数回调地址实践 .................................................................................109
code 生成方案 ········································································.112
5.4.1 基于随机数生成 code 方案................................................................................112
5.4.2 解决随机 code 冲突 ...........................................................................................114
5.4.3 基于 UUID 生成 code ........................................................................................116
code 消费··············································································.117
5.5.1 标准 code 消费策略 ...........................................................................................117
5.5.2 code 消费策略优化 ............................................................................................118第6章 签名................................................................................124
6.1 6.2 6.3 6.4
6.5
签名算法引入 ········································································.125 非对称加密简介 ·····································································.127 进一步探讨签名算法 ·······························································.128 常见的签名算法 ·····································································.129 6.4.1 非对称签名算法.................................................................................................129 6.4.2 开放平台实践中使用的签名算法 .....................................................................130 开放平台签名实例 ··································································.141
第7章 授权信息.........................................................................146
7.1
7.2
7.3
7.4
7.5
access_token 简介····································································.147
7.1.1 短生命周期的可刷新 access_token ...................................................................147
7.1.2 短生命周期的无刷新 access_token ...................................................................148
7.1.3 永不过期的 access_token ...................................................................................149
随机字符实现 ········································································.150
7.2.1 短生命周期的可刷新 access_token ...................................................................150
7.2.2 短生命周期的无刷新 access_token ...................................................................156
7.2.3 永不过期的 access_token ...................................................................................158
7.2.4 基于随机字符的 access_token 方案总结 ..........................................................160
7.2.5 随机字符方案的缺陷及防御 .............................................................................160
JWT 实现··············································································.168
7.3.1 JWT 简介 ............................................................................................................168
7.3.2 JWT 简单实战 ....................................................................................................169
7.3.3 基于 JWT 实现的授权信息 ...............................................................................175
7.3.4 基于 JWT 的 access_token 方案总结 ................................................................179
权限包与 Scope ······································································.180
7.4.1 Scope 概念引入 ..................................................................................................180
7.4.2 开放平台中的 Scope 实现细节 .........................................................................181
SDK ····················································································.183
第8章 基于SpringSecurity的OAuth2实战.............................190 8.1 隐式授权模式 ········································································.1918.1.1 授权系统的相关实现 .........................................................................................191
8.1.2 开放网关的相关实现 .........................................................................................195
8.1.3 相关实现的验证.................................................................................................196
8.2 授权码授权模式 ·····································································.198
8.2.1 授权系统的相关实现 .........................................................................................198
8.2.2 开放网关的相关实现 .........................................................................................201
8.2.3 相关实现的验证.................................................................................................203
8.3 授信客户端密码模式 ·······························································.208
8.3.1 授权系统的相关实现 .........................................................................................209
8.3.2 开放网关的相关实现 .........................................................................................211
8.3.3 相关实现的验证.................................................................................................213
8.4 授信客户端模式 ·····································································.215
8.4.1 授权系统的相关实现 .........................................................................................216
8.4.2 开放网关的相关实现 .........................................................................................218
8.4.3 相关实现的验证.................................................................................................220
8.5 四种授权模式总结 ··································································.221 8.6 JWT····················································································.221
8.6.1 授权系统的相关实现 .........................................................................................222
8.6.2 开放网关的相关实现 .........................................................................................226
8.6.3 相关实现的验证.................................................................................................227
新书资讯