One 、OAuth2LoginAuthenticationFilter

When gitee received OAuth2 After the authorization request , Will send a message to the browser 302 Redirect to redirect_uri Response . Because by default, the callback path satisfies /login/oauth2/code/*, The path will be OAuth2LoginAuthenticationFilter Filter interception processing .

Two 、OAuth2LoginAuthenticationFilter Structure

1、 DEFAULT_FILTER_PROCESSES_URI = “/login/oauth2/code/*”;

Default intercept path

2、 ClientRegistrationRepository

Client information

3、OAuth2AuthorizedClientRepository ;

OAuth2 Authorize client repositories

4、AuthorizationRequestRepository authorizationRequestRepository

from http Operation authorized in OAuth2 client

5、 Converter<OAuth2LoginAuthenticationToken, OAuth2AuthenticationToken> authenticationResultConverter

token converter

3、 ... and 、OAuth2 Login authentication logic

OAuth2LoginAuthenticationFilter The core of all
In the method . It mainly implements the following logic ：

1. Check logic

• Verify whether it is a response to the authorization request .
• Verify whether the current authorization request really exists , Prevent forgery .
• Verify the of the current authorization request OAuth2 Whether the client is compliant .

2. assemble OAuth2LoginAuthenticationToken And to OAuth2LoginAuthenticationProvider Processing authentication
3. Certified OAuth2LoginAuthenticationToken adopt authenticationResultConverter Function to OAuth2AuthenticationToken
4. Initialize authenticated OAuth2 Client object OAuth2AuthorizedClient And persist
5. Will step ③ Generated OAuth2AuthenticationToken return
   
   

Four 、OAuth2LoginAuthenticationProvider

1、springsecurity Our certification system

2 、AuthenticationProvider

spring Supported by default in 17 Authentication method in

3、OAuth2LoginAuthenticationToken Corresponding AuthenticationProvider

• OAuth2LoginAuthenticationProvider, For ordinary OAuth2 Login authentication .
• OidcAuthorizationCodeAuthenticationProvider, be used for OIDC authentication .
  

4、OAuth2LoginAuthenticationProvider

OAuth2LoginAuthenticationProvider Responsible for using the token endpoint of the authorization server (token-uri) Authenticate the authorization code credentials , If the certification is valid , Then exchange it as access token credentials OAuth2AccessToken.
It will also use OAuth2UserService From the user information endpoint （user-info-uri） Get end users （ Resource owner ） User information for , User information to OAuth2User Create a Principal . And then OAuth2User Related to OAuth2LoginAuthenticationToken To complete authentication . The flow chart is as follows ：

From the above description and flow chart, we can summarize the following two key points ：

5、 ... and 、OAuth2AuthorizationCodeAuthenticationProvider

OAuth2LoginAuthenticationProvider There is also a OAuth2AuthorizationCodeAuthenticationProvider. It is responsible for using the token endpoint of the authorization server to authenticate the authorization code credentials .

• Authentication authorization code
  First of all, from the OAuth2AuthorizationCodeAuthenticationToken Medium OAuth2AuthorizationExchange extract OAuth2AuthorizationResponse, Judge whether it is OAuth2 Abnormal response .

If not , And authorization request object OAuth2AuthorizationRequest Medium state Value for consistency comparison , once OAuth2 Before and after authorization request state Must be consistent .

• obtain OAuth2AccessToken
  And then through OAuth2AccessTokenResponseClient, The bottom one is RestTemplate, according to OAuth2 Of token-uri Just encapsulate . Wechat in the back OAuth2 We will customize this interface in Web authorization .

• obtain OAuth2User
  Get OAuth2AccessToken Jump back OAuth2LoginAuthenticationProvider. With token Naturally, you can call the personal information interface user-info-uri 了 ,Spring Security Abstract this process as OAuth2UserService Interface ：‘
  

Many times, the bottom layer of this interface also passes RestTemplate Realized . And in actual development OAuth2UserService The probability should be customized , Also behind wechat OAuth2 We will customize this interface in Web authorization .
Extra logic
OAuth2LoginAuthenticationProvider This is the end of the implementation , What we deal with later is AbstractAuthenticationProcessingFilter The logic of , and Form Login The logical process is consistent = What needs to be emphasized is that it has been certified OAuth2 The client object will be stored , Currently certified OAuth2AuthenticationToken Will be stored in the security context SecurityContext in .