feat(auth-server): 实现 OAuth2 登录功能

- 重构 SecurityConfig，添加 OAuth2 登录相关配置
- 新增 FederatedIdentityAuthenticationSuccessHandler 处理登录成功事件
- 添加授权同意页面和错误页面的控制器
- 新增登录和首页的 Thymeleaf 模板
- 更新 Maven依赖，添加 OAuth2 客户端、Thymeleaf等

Author: chensoul

my-samples/auth-server-05-accessTokenResponseHandler/pom.xml

@@ -9,7 +9,7 @@
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
     <groupId>com.chensoul</groupId>
-    <artifactId>auth-server-06-OAuth2TokenCustomizer</artifactId>
+    <artifactId>auth-server-05-oauth2-login</artifactId>
     <version>0.0.1-SNAPSHOT</version>
 
     <dependencies>
@@ -19,14 +19,37 @@
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-data-redis</artifactId>
+            <artifactId>spring-boot-starter-oauth2-client</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-thymeleaf</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.thymeleaf.extras</groupId>
+            <artifactId>thymeleaf-extras-springsecurity6</artifactId>
         </dependency>
 
         <dependency>
-            <groupId>org.projectlombok</groupId>
-            <artifactId>lombok</artifactId>
-            <optional>true</optional>
+            <groupId>org.webjars</groupId>
+            <artifactId>webjars-locator-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.webjars</groupId>
+            <artifactId>bootstrap</artifactId>
+            <version>5.3.5</version>
+        </dependency>
+        <dependency>
+            <groupId>org.webjars</groupId>
+            <artifactId>popper.js</artifactId>
+            <version>2.11.7</version>
         </dependency>
+        <dependency>
+            <groupId>org.webjars</groupId>
+            <artifactId>jquery</artifactId>
+            <version>3.7.1</version>
+        </dependency>
+
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>

my-samples/auth-server-05-accessTokenResponseHandler/src/main/resources/application.yml

@@ -1,30 +1,41 @@
 package com.chensoul.config;
 
+import com.chensoul.support.AccessTokenResponseHandler;
+import com.chensoul.support.FederatedIdentityAuthenticationSuccessHandler;
 import org.springframework.boot.autoconfigure.security.oauth2.server.servlet.OAuth2AuthorizationServerAutoConfiguration;
 import org.springframework.boot.autoconfigure.security.oauth2.server.servlet.OAuth2AuthorizationServerJwtAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.MediaType;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.core.session.SessionRegistryImpl;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.oidc.OidcScopes;
-import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.authorization.*;
 import org.springframework.security.oauth2.server.authorization.client.InMemoryRegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
+import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat;
 import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
 import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
 import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+import org.springframework.security.web.session.HttpSessionEventPublisher;
 import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
 
 import java.util.Set;
@@ -36,17 +47,20 @@
  * @see OAuth2AuthorizationServerAutoConfiguration
  * @see OAuth2AuthorizationServerJwtAutoConfiguration
  */
-@EnableWebSecurity(debug = true)
 @Configuration
 public class SecurityConfig {
+    private static final String CUSTOM_CONSENT_PAGE_URI = "/oauth2/consent";
+
     @Bean
-    @Order(1)
+    @Order(Ordered.HIGHEST_PRECEDENCE)
     SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
         OAuth2AuthorizationServerConfigurer authorizationServerConfigurer = authorizationServer();
 
         http.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
                 .with(authorizationServerConfigurer, (authorizationServer) ->
                         authorizationServer
+                                .authorizationEndpoint(authorizationEndpoint ->
+                                        authorizationEndpoint.consentPage(CUSTOM_CONSENT_PAGE_URI))
                                 .tokenEndpoint(token ->
                                         token.accessTokenResponseHandler(new AccessTokenResponseHandler()))
                                 .oidc(Customizer.withDefaults())    // Enable OpenID Connect 1.0
@@ -58,14 +72,47 @@ SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) th
                                 new LoginUrlAuthenticationEntryPoint("/login"),
                                 new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
                         )
+                );
+
+        return http.build();
+    }
+
+    @Bean
+    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
+        http
+                .authorizeHttpRequests(authorize ->
+                        authorize
+                                .requestMatchers("/webjars/**", "/assets/**", "/login", "/logged-out").permitAll()
+                                .anyRequest().authenticated()
+                )
+                .formLogin(formLogin ->
+                        formLogin
+                                .loginPage("/login")
                 )
-                // Accept access tokens for User Info and/or Client Registration
-                .oauth2ResourceServer((resourceServer) -> resourceServer
-                        .jwt(Customizer.withDefaults()));
+                .oauth2Login(oauth2Login ->
+                        oauth2Login
+                                .loginPage("/login")
+                                .successHandler(authenticationSuccessHandler())
+                );
 
         return http.build();
     }
 
+    private AuthenticationSuccessHandler authenticationSuccessHandler() {
+        return new FederatedIdentityAuthenticationSuccessHandler();
+    }
+
+    // @formatter:off
+    @Bean
+    public UserDetailsService users() {
+        UserDetails user = User.withDefaultPasswordEncoder()
+                .username("user")
+                .password("password")
+                .roles("USER")
+                .build();
+        return new InMemoryUserDetailsManager(user);
+    }
+
     @Bean
     public RegisteredClientRepository registeredClientRepository() {
         // @formatter:off
@@ -140,12 +187,28 @@ public RegisteredClientRepository registeredClientRepository() {
     }
 
     @Bean
-    public OAuth2TokenCustomizer<JwtEncodingContext> jwtTokenCustomizer() {
-        return (context) -> {
-            if (context.getTokenType().equals(OAuth2TokenType.ACCESS_TOKEN)) {
-                Set<String> authorities = AuthorityUtils.authorityListToSet(context.getPrincipal().getAuthorities());
-                context.getClaims().claim("authorities", authorities);
-            }
-        };
+    public AuthorizationServerSettings authorizationServerSettings() {
+        return AuthorizationServerSettings.builder().build();
+    }
+
+    @Bean
+    public OAuth2AuthorizationService authorizationService() {
+        return new InMemoryOAuth2AuthorizationService();
+    }
+
+    @Bean
+    public OAuth2AuthorizationConsentService authorizationConsentService() {
+        return new InMemoryOAuth2AuthorizationConsentService();
+    }
+
+
+    @Bean
+    public SessionRegistry sessionRegistry() {
+        return new SessionRegistryImpl();
+    }
+
+    @Bean
+    public HttpSessionEventPublisher httpSessionEventPublisher() {
+        return new HttpSessionEventPublisher();
     }
 }

my-samples/auth-server-06-OAuth2TokenCustomizer/pom.xml renamed to my-samples/auth-server-05-oauth2-login/pom.xml

@@ -1,5 +1,5 @@
 
-package com.chensoul.config;
+package com.chensoul.support;
 
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;

my-samples/auth-server-05-accessTokenResponseHandler/src/main/java/com/chensoul/AuthServerApplication.java renamed to my-samples/auth-server-05-oauth2-login/src/main/java/com/chensoul/AuthServerApplication.java

@@ -0,0 +1,71 @@
+/*
+ * Copyright 2020-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.chensoul.support;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
+
+import java.io.IOException;
+import java.util.function.Consumer;
+
+/**
+ * An {@link AuthenticationSuccessHandler} for capturing the {@link OidcUser} or
+ * {@link OAuth2User} for Federated Account Linking or JIT Account Provisioning.
+ *
+ * @author Steve Riesenberg
+ * @since 1.1
+ */
+public final class FederatedIdentityAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
+    private static final Logger log = LoggerFactory.getLogger(FederatedIdentityAuthenticationSuccessHandler.class);
+    private final AuthenticationSuccessHandler delegate = new SavedRequestAwareAuthenticationSuccessHandler();
+
+    private Consumer<OAuth2User> oauth2UserHandler = (user) -> {
+        log.info("OAuth2User: {}", user);
+    };
+
+    private Consumer<OidcUser> oidcUserHandler = (user) -> this.oauth2UserHandler.accept(user);
+
+    @Override
+    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
+        if (authentication instanceof OAuth2AuthenticationToken) {
+            if (authentication.getPrincipal() instanceof OidcUser oidcUser) {
+                this.oidcUserHandler.accept(oidcUser);
+            } else if (authentication.getPrincipal() instanceof OAuth2User oauth2User) {
+                this.oauth2UserHandler.accept(oauth2User);
+            }
+        }
+
+        this.delegate.onAuthenticationSuccess(request, response, authentication);
+    }
+
+    public void setOAuth2UserHandler(Consumer<OAuth2User> oauth2UserHandler) {
+        this.oauth2UserHandler = oauth2UserHandler;
+    }
+
+    public void setOidcUserHandler(Consumer<OidcUser> oidcUserHandler) {
+        this.oidcUserHandler = oidcUserHandler;
+    }
+
+}