|
|
|
|
<!DOCTYPE HTML>
|
|
|
|
|
<html>
|
|
|
|
|
<head>
|
|
|
|
|
<meta charset="utf-8"/>
|
|
|
|
|
<title>数据库表说明(oauth.ddl)</title>
|
|
|
|
|
<link href="http://cdn.bootcss.com/bootstrap/3.3.4/css/bootstrap.min.css" rel="stylesheet"/>
|
|
|
|
|
</head>
|
|
|
|
|
<body>
|
|
|
|
|
<div class="container">
|
|
|
|
|
<h2>spring-oauth-server 数据库表说明</h2>
|
|
|
|
|
|
|
|
|
|
<p>以下对<a target="_blank"
|
|
|
|
|
href="http://git.oschina.net/shengzhao/spring-oauth-server">spring-oauth-server</a>项目中的<code>oauth.ddl</code>文件(位于/others/database目录)中的表字及段进行说明,
|
|
|
|
|
内容包括字段说明与使用场合</p>
|
|
|
|
|
<table class="table table-bordered table-hover">
|
|
|
|
|
<thead>
|
|
|
|
|
<tr>
|
|
|
|
|
<th style="width:15%;">表名</th>
|
|
|
|
|
<th style="width: 15%">字段名</th>
|
|
|
|
|
<th>字段说明</th>
|
|
|
|
|
</tr>
|
|
|
|
|
</thead>
|
|
|
|
|
<tbody>
|
|
|
|
|
<tr>
|
|
|
|
|
<td rowspan="13">oauth_client_details</td>
|
|
|
|
|
<td>client_id</td>
|
|
|
|
|
<td>
|
|
|
|
|
主键,必须唯一,不能为空.
|
|
|
|
|
<br/>
|
|
|
|
|
用于唯一标识每一个客户端(client); 在注册时必须填写(也可由服务端自动生成).
|
|
|
|
|
<br/>
|
|
|
|
|
对于不同的grant_type,该字段都是必须的. 在实际应用中的另一个名称叫appKey,与client_id是同一个概念.
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>resource_ids</td>
|
|
|
|
|
<td>
|
|
|
|
|
客户端所能访问的资源id集合,多个资源时用逗号(,)分隔,如: "unity-resource,mobile-resource".
|
|
|
|
|
<br/>
|
|
|
|
|
该字段的值必须来源于与<code>security.xml</code>中标签<code>‹oauth2:resource-server</code>的属性<code>resource-id</code>值一致.
|
|
|
|
|
在<code>security.xml</code>配置有几个<code>‹oauth2:resource-server</code>标签, 则该字段可以使用几个该值.
|
|
|
|
|
<br/>
|
|
|
|
|
在实际应用中, 我们一般将资源进行分类,并分别配置对应的<code>‹oauth2:resource-server</code>,如订单资源配置一个<code>‹oauth2:resource-server</code>,
|
|
|
|
|
用户资源又配置一个<code>‹oauth2:resource-server</code>. 当注册客户端时,根据实际需要可选择资源id,也可根据不同的注册流程,赋予对应的资源id.
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>client_secret</td>
|
|
|
|
|
<td>
|
|
|
|
|
用于指定客户端(client)的访问密匙; 在注册时必须填写(也可由服务端自动生成).
|
|
|
|
|
<br/>
|
|
|
|
|
对于不同的grant_type,该字段都是必须的. 在实际应用中的另一个名称叫appSecret,与client_secret是同一个概念.
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>scope</td>
|
|
|
|
|
<td>
|
|
|
|
|
指定客户端申请的权限范围,可选值包括<em>read</em>,<em>write</em>,<em>trust</em>;若有多个权限范围用逗号(,)分隔,如: "read,write".
|
|
|
|
|
<br/>
|
|
|
|
|
scope的值与<code>security.xml</code>中配置的<code>‹intercept-url</code>的<code>access</code>属性有关系.
|
|
|
|
|
如<code>‹intercept-url</code>的配置为
|
|
|
|
|
<pre>‹intercept-url pattern="/m/**" access="ROLE_MOBILE,SCOPE_READ"/></pre>
|
|
|
|
|
则说明访问该URL时的客户端必须有<em>read</em>权限范围.
|
|
|
|
|
<em>write</em>的配置值为<em>SCOPE_WRITE</em>, <em>trust</em>的配置值为<em>SCOPE_TRUST</em>.
|
|
|
|
|
<br/>
|
|
|
|
|
在实际应该中, 该值一般由服务端指定, 常用的值为<em>read,write</em>.
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>authorized_grant_types</td>
|
|
|
|
|
<td>
|
|
|
|
|
指定客户端支持的grant_type,可选值包括<em>authorization_code</em>,<em>password</em>,<em>refresh_token</em>,<em>implicit</em>,<em>client_credentials</em>,
|
|
|
|
|
若支持多个grant_type用逗号(,)分隔,如: "authorization_code,password".
|
|
|
|
|
<br/>
|
|
|
|
|
在实际应用中,当注册时,该字段是一般由服务器端指定的,而不是由申请者去选择的,最常用的grant_type组合有:
|
|
|
|
|
"authorization_code,refresh_token"(针对通过浏览器访问的客户端);
|
|
|
|
|
"password,refresh_token"(针对移动设备的客户端).
|
|
|
|
|
<br/>
|
|
|
|
|
<em>implicit</em>与<em>client_credentials</em>在实际中很少使用.
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>web_server_redirect_uri</td>
|
|
|
|
|
<td>
|
|
|
|
|
客户端的重定向URI,可为空, 当grant_type为<code>authorization_code</code>或<code>implicit</code>时,
|
|
|
|
|
在Oauth的流程中会使用并检查与注册时填写的redirect_uri是否一致. 下面分别说明:
|
|
|
|
|
<ul>
|
|
|
|
|
<li>
|
|
|
|
|
当grant_type=<code>authorization_code</code>时, 第一步 <code>从 spring-oauth-server获取
|
|
|
|
|
'code'</code>时客户端发起请求时必须有<code>redirect_uri</code>参数, 该参数的值必须与
|
|
|
|
|
<code>web_server_redirect_uri</code>的值一致. 第二步 <code>用 'code' 换取 'access_token'</code>
|
|
|
|
|
时客户也必须传递相同的<code>redirect_uri</code>.
|
|
|
|
|
<br/>
|
|
|
|
|
在实际应用中, <em>web_server_redirect_uri</em>在注册时是必须填写的, 一般用来处理服务器返回的<code>code</code>,
|
|
|
|
|
验证<code>state</code>是否合法与通过<code>code</code>去换取<code>access_token</code>值.
|
|
|
|
|
<br/>
|
|
|
|
|
在spring-oauth-client项目中, 可具体参考<code>AuthorizationCodeController.java</code>中的<code>authorizationCodeCallback</code>方法.
|
|
|
|
|
</li>
|
|
|
|
|
<li>
|
|
|
|
|
当grant_type=<code>implicit</code>时通过<code>redirect_uri</code>的hash值来传递<code>access_token</code>值.如:
|
|
|
|
|
<pre>http://localhost:7777/spring-oauth-client/implicit#access_token=dc891f4a-ac88-4ba6-8224-a2497e013865&token_type=bearer&expires_in=43199</pre>
|
|
|
|
|
然后客户端通过JS等从hash值中取到<code>access_token</code>值.
|
|
|
|
|
</li>
|
|
|
|
|
</ul>
|
|
|
|
|
</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>authorities</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>access_token_validity</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>refresh_token_validity</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>additional_information</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>create_time</td>
|
|
|
|
|
<td>数据的创建时间,精确到秒,由数据库在插入数据时取当前系统时间自动生成(扩展字段)</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>archived</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>trusted</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<!-- oauth_client_token -->
|
|
|
|
|
<tr>
|
|
|
|
|
<td rowspan="6">oauth_client_token</td>
|
|
|
|
|
<td>create_time</td>
|
|
|
|
|
<td>数据的创建时间,精确到秒,由数据库在插入数据时取当前系统时间自动生成(扩展字段)</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>token_id</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>token</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>authentication_id</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>user_name</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>client_id</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<!-- oauth_access_token -->
|
|
|
|
|
<tr>
|
|
|
|
|
<td rowspan="8">oauth_access_token</td>
|
|
|
|
|
<td>create_time</td>
|
|
|
|
|
<td>数据的创建时间,精确到秒,由数据库在插入数据时取当前系统时间自动生成(扩展字段)</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>token_id</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>token</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>authentication_id</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>user_name</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>client_id</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>authentication</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>refresh_token</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<!-- oauth_refresh_token -->
|
|
|
|
|
<tr>
|
|
|
|
|
<td rowspan="4">oauth_refresh_token</td>
|
|
|
|
|
<td>create_time</td>
|
|
|
|
|
<td>数据的创建时间,精确到秒,由数据库在插入数据时取当前系统时间自动生成(扩展字段)</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>token_id</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>token</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>authentication</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<!-- oauth_code -->
|
|
|
|
|
<tr>
|
|
|
|
|
<td rowspan="3">oauth_code</td>
|
|
|
|
|
<td>create_time</td>
|
|
|
|
|
<td>数据的创建时间,精确到秒,由数据库在插入数据时取当前系统时间自动生成(扩展字段)</td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>code</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
<tr>
|
|
|
|
|
<td>authentication</td>
|
|
|
|
|
<td></td>
|
|
|
|
|
</tr>
|
|
|
|
|
</tbody>
|
|
|
|
|
</table>
|
|
|
|
|
</div>
|
|
|
|
|
|
|
|
|
|
</body>
|
|
|
|
|
</html>
|
