说明: 本文档用于描述spring-oauth-server对外开发的接口(API)使用, 所有标记 public 的API都是公开的, 其他的API则需要先授权获取 access_token 后可调用 (如何传递access_token请查看 https://andaily.com/blog/?p=500).

获取access_token (grant_type=authorization_code) public

使用grant_type=authorization_code 方式来获取access_token, 需要先获取code

  • 请求URI: /oauth2/token POST

    请求参数说明:
    参数名 参数值 必须? 备注
    client_id {client_id}
    client_secret {client_secret}
    grant_type authorization_code 固定值
    code {code}
    redirect_uri {redirect_uri}
    code_verifier {code_verifier} PKCE时必须
    请求示例:
      curl --location 'http://localhost:8080/oauth2/token' \
      --header 'Content-Type: application/json' \
      --form 'client_id="client11"' \
      --form 'grant_type="authorization_code"' \
      --form 'redirect_uri="http://localhost:8083/oauth2/callback"' \
      --form 'code="-VEnyAcEflDxjMh4Hr-6YejZq4Mel5gihFy_FMyotDxLhILeMBQheJkL4mdJ0sKD_C8xpa_sMNGf_I2tYJIVki8a4ktT2QsHojhbV3HpbGLVhJ0qDc8kfXjWt7u_24QO"' \
      --form 'client_secret="secret22"'

    响应
    • 正常 [200]
      {
        "access_token": "7154afT_cxvLDq1naSg6Aq9ueSFSW8xRr5txryW5MlddRe7nV0RogTYwPsJc_rrRqwaIvLleerLhkjtIN2E2U-4J_BzvYNCsv8BVLqeerCObwgwpP3t__NMMUakzRL2i",
        "refresh_token": "TZ9tzVwE_VLoJxALUSw4A4A0Nj7SLSWXCc69U9rvNmSnqR8Hbz-1m4uHebJWsAK0sa7SDIR4SNXOB3iaM0p1bH_8EBrljoBApQgdYi1uYzcVwYq55OVV2RUHN2BJwfSr",
        "scope": "openid profile",
        "id_token": "eyJraWQiOiJzb3MtZWNjLWtpZDEiLCJhbGciOiJFUzI1NiJ9.eyJzdWIiOiJ1bml0eSIsImF1ZCI6IjZ1ck5MZ1I2b3NrMkU1NmVrcCIsInVwZGF0ZWRfYXQiOiIiLCJhenAiOiI2dXJOTGdSNm9zazJFNTZla3AiLCJhdXRoX3RpbWUiOjE2OTc3MDczNTQsImlzcyI6Imh0dHA6Ly8xMjcuMC4wLjE6ODA4MCIsIm5pY2tuYW1lIjoiIiwiZXhwIjoxNjk3NzA5MjA4LCJpYXQiOjE2OTc3MDc0MDgsImp0aSI6IjEyNTc0MjU2NTk4MDI2ODY2NzI3NDAwMTMxNjk5NDk0Iiwic2lkIjoidXdwN255RnJwdlNtWmlQS2hCdWVSVFZfcVRKYkN6ZjAyTmYwQTZGN1lrSSJ9.3w-7EY9SwKA-UkXlhDfD2BbSwP6nCSLZxNgKwhkkMY8YPbMkygbj374SmEmsit7NlpRXHCtW6ULZ9_IVZ9MTBg",
        "token_type": "Bearer",
        "expires_in": 3599
      }
    • 异常 [401]
      {
          "error": "invalid_grant"
      }

返回

获取access_token (grant_type=client_credentials) public

使用grant_type=client_credentials 方式来获取access_token, 不需要username, password

  • 请求URI: /oauth2/token POST

    请求参数说明:
    参数名 参数值 必须? 备注
    client_id {client_id}
    client_secret {client_secret}
    grant_type client_credentials 固定值
    scope {scope} 如: openid
    请求示例:
    curl --location 'http://localhost:8080/oauth2/token' \
    --header 'Content-Type: application/json' \
    --form 'client_id="6urNLgR6osk2E56ekp"' \
    --form 'client_secret="6urNLgR6osk2E56ekp"' \
    --form 'grant_type="client_credentials"' \
    --form 'scope="openid profile"'

    响应
    • 正常 [200]
      {
          "access_token": "p2i1WHiiFBCgTJFTs63OvO9-bclB9DbsgsebDo_ntMw_BAleu2RzIQzzFfaaJAR5oiL3xwN3xMyNTRZSrXM_1ANycleysPU5l3xuZ0aQX4V-Va178qg6e-PvLqLBsD_i",
          "scope": "openid profile",
          "token_type": "Bearer",
          "expires_in": 3599
      }
    • 异常 [401]
      {
          "error": "invalid_client"
      }

获取access_token (Restful API) public

Restful API 获取access_token, 适用于grant_type为authorization_code,password,refresh_token,client_credentials

  • 请求URI: /oauth/rest_token POST REST

    Content-Type: application/json

    请求Body参数说明:
    参数名 参数值 必须? 备注
    grant_type {grant_type} authorization_code,password,refresh_token,client_credentials
    scope {scope} read or write
    client_id {client_id}
    client_secret {client_secret}
    username {username} grant_type=password时必须有
    password {password} grant_type=password时必须有
    请求Body示例:

    {"client_id":"test1234","client_secret":"test1234","grant_type":"password","scope":"read","username":"mobile","password":"mobile"}

    {"client_id":"test1234","client_secret":"test1234","grant_type":"password","scope":"read"}


    响应
    • 正常 [200]
      {"access_token":"e2996930-8398-44fd-8de5-7d1b1624ced7","token_type":"bearer","refresh_token":"2b2de701-53e7-4b57-8301-e4a06ee49698","expires_in":43008,"scope":"read"}

    • 异常 [401]
      {"error":"invalid_grant","error_description":"Bad credentials"}

校验access_token public

校验, 检查access_token的有效性

  • 请求URI: /oauth/check_token POST

    请求参数说明:
    参数名 参数值 必须? 备注
    token {access_token}
    client_id {client_id}
    请求示例:

    http://localhost:8080/spring-oauth-server/oauth/check_token?token=e2996930-8398-44fd-8de5-7d1b1624ced7&client_id=mobile-client


    响应
    • 正常 [200]
      {"aud":["mobile-resource"],"exp":1505878459,"user_name":"mobile","authorities":["ROLE_MOBILE","ROLE_USER"],"client_id":"mobile-client","scope":["read","write"]}

    • 异常 [401]
      {"error":"invalid_token","error_description":"Token was not recognised"}

返回

刷新access_token (grant_type=refresh_token) public

用于在access_token要过期时换取新的access_token (grant_type需要有refresh_token)

  • 请求URI: /oauth/token POST

    请求参数说明:
    参数名 参数值 必须? 备注
    client_id {client_id}
    client_secret {client_secret}
    grant_type refresh_token 固定值
    refresh_token {refresh_token}
    请求示例:

    http://localhost:8080/spring-oauth-server/oauth/token?client_id=test1234&client_secret=test1234&grant_type=refresh_token&refresh_token=1156ebfe-e303-4572-9fb5-4459a5d46610


    响应
    • 正常 [200]
      {"access_token":"b12cace6-7ce4-4fa8-b127-cf537d15b213","token_type":"bearer","refresh_token":"2b2de701-53e7-4b57-8301-e4a06ee49698","expires_in":43199,"scope":"read"}

    • 异常 [401]
      {"error":"invalid_grant","error_description":"Invalid refresh token: 1156ebfe-e303-4572-9fb5-4459a5d46610"}

获取当前用户信息 (ROLE_UNITY)

使用access_token获取用户信息, 需要有 ROLE_UNITY 权限

  • 请求URI: /unity/user_info GET

    请求参数说明:
    参数名 参数值 必须? 备注
    请求示例:

    http://localhost:8080/spring-oauth-server/unity/user_info?access_token=b12cace6-7ce4-4fa8-b127-cf537d15b213


    响应
    • 正常 [200]
      {"guid":"55b713df1c6f423e842ad68668523c49","archived":false,"username":"unity","phone":"","email":"unity@wdcy.cc","privileges":["UNITY"]}

    • 异常 [401]
      <oauth><error_description>Invalid access token: 2c612eb7-a22b-45f0-8b2e-cd6f9e3667722</error_description><error>invalid_token</error></oauth>

返回

获取当前用户信息 (ROLE_MOBILE)

使用access_token获取用户信息, 需要有 ROLE_MOBILE 权限

  • 请求URI: /m/user_info GET

    请求参数说明:
    参数名 参数值 必须? 备注
    请求示例:

    http://localhost:8080/spring-oauth-server/m/user_info?access_token=b12cace6-7ce4-4fa8-b127-cf537d15b213


    响应
    • 正常 [200]
      {"guid":"612025cb3f964a64a48bbdf77e53c2c1","archived":false,"username":"mobile","phone":"","email":"mobile@wdcy.cc","privileges":["MOBILE"]}

    • 异常 [401]
      <oauth><error_description>Invalid access token: 2c612eb7-a22b-45f0-8b2e-cd6f9e3667722</error_description><error>invalid_token</error></oauth>


© 2013 - 2023 spring-oauth-server