One 、OAuth2AuthorizationRequestRedirectFilter

This filter is Spring Security Built in filter for , It is responsible for bringing end users （End User） Requests initiated /oauth2/authorization/gitee Redirect to the authorization endpoint of the authorization server (authorization uri) To start the authorization code authorization process . Its structure is as follows ：

Here's the important thing OAuth2AuthorizationRequestResolver Interface .

Two 、OAuth2AuthorizationRequestResolver

This interface can be implemented from HttpServletRequest extract OAuth2 Authorization endpoint authorization-uri Required parameters , And encapsulated as OAuth2AuthorizationRequest object . If you are involved in some custom authorization requests , In particular, custom parameters , You can customize the interface .

1、DefaultOAuth2AuthorizationRequestResolver

OAuth2AuthorizationRequest The default implementation of the interface is DefaultOAuth2AuthorizationRequestResolver. The logic of the two methods is very similar , Here we only analyze the following method ：

• 1、 matching /oauth2/authorization/{registrationId} And extract the path parameters to obtain registrationId.
• 2、 And then ask for the object request Extract from key by action Parameters of , The default value is login.
• 3、 The bottom layer of execution encapsulation resolve Method generation OAuth2AuthorizationRequest
  The above steps ③ Of resolve Methods will be based on different authorization methods (AuthorizationGrantType) To assemble different OAuth2AuthorizationRequest.
  
  The yellow fields in the above figure are dynamically assembled , Other fields are assembled according to the instructions . The Yellow assembly logic can be divided into the following two cases .

2、 Authorization code mode

When scope It doesn't contain openid and client-authentication-method Not for none The four parameters mentioned above ：

{
    
  "authorizationGrantType": "authorization_code",
  "responseType": "code",
  "additionalParameters": {
    },
  "attributes": {
    
    "registration_id": "{registrationId}"
  }
}

When scope contain openid and client-authentication-method Not for none The four parameters mentioned above ：

{
    
  "authorizationGrantType": "authorization_code",
  "responseType": "code",
  "additionalParameters": {
    
    "nonce": "{nonce} Of Hash value "
  },
  "attributes": {
    
    "registration_id": "{registrationId}",
    "nonce": "{nonce}"
  }
}

When scope It doesn't contain openid and client-authentication-method by none The four parameters mentioned above ：

{
    
  "authorizationGrantType": "authorization_code",
  "responseType": "code",
  "additionalParameters": {
    
    "code_challenge": "{codeVerifier} Of Hash value ",
    // code_challenge_method  When it's not SHA256 Maybe not key
    "code_challenge_method": "S256（ If it is SHA256 Algorithmic words ）"
  },
  "attributes": {
    
    "registration_id": "{registrationId}",
    "code_verifier": "Base64 Generated security {codeVerifier}"
  }
}

When scope contain openid and client-authentication-method by none The four parameters mentioned above ：

{
    
  "authorizationGrantType": "authorization_code",
  "responseType": "code",
  "additionalParameters": {
    
    "code_challenge": "{codeVerifier} Of Hash value ",
    // code_challenge_method  When it's not SHA256 Maybe not key
    "code_challenge_method": "S256（ If it is SHA256 Algorithmic words ）",
    "nonce": "{nonce} Of Hash value "
  },
  "attributes": {
    
    "registration_id": "{registrationId}",
    "code_verifier": "Base64 Generated security {codeVerifier}",
    "nonce": "{nonce}"
  }
}

3、authorizationRequestUri The construction mechanism of

stay OAuth2AuthorizationRequest In the process of building , If you don't explicitly provide authorizationRequestUri Would pass OAuth2AuthorizationRequest Medium responseType、clientId 、scopes、state 、redirectUri、additionalParameters According to the following rules to splice into authorizationUri Parameter string of , Parameter string key and value To carry out URI code .

authorizationUri?response_type={
    responseType.getValue()}&client_id={
    clientId}&scope={
    scopes Element one character space }&state={
    state}&redirect_uri={
    redirectUri}&{
    additionalParameter Expand to do the same thing KV Parameter string }

Assembled by OAuth2AuthorizationRequestRedirectFilter Redirect to authorizationRequestUri Request authorization from a third party .

• redirectUri
  redirectUri Also by DefaultOAuth2AuthorizationRequestResolver Built , Follow the rules ：

{
    baseUrl}/{
    action}/oauth2/code/{
    registrationId}

• baseUrl It's from us /oauth2/authorization The underlying request path extracted from the request , such as https://felord.cn.
• action, There are two default values login、authorize , When /oauth2/authorization The request contains action Parameters are based on action Fill in the value of .
• registrationId Request registration id.

4、 customized OAuth2AuthorizationRequest

OAuth2AuthorizationRequest The probability needs to be customized , So DefaultOAuth2AuthorizationRequestResolver Provides a Consumer<OAuth2AuthorizationRequest.Builder> Type of function to meet OAuth2AuthorizationRequest Customized needs .

besides OAuth2AuthorizationRequest.Builder Two custom functions are also provided ：

• parametersConsumer To customize authorizationRequestUri Required parameters .
• authorizationRequestUriFunction To customize the final URI.