Merge pull request #5965 from EightMonth/springboot3_sas

新增token校验、客户端便捷工具类、修复登录缺乏租户信息、强退功能失效
2024-03-12 14:27:11 +08:00 · 2024-03-12 14:27:11 +08:00 · d684c09392
parent 20efa3bf9a 364be22dd0
commit d684c09392
26 changed files with 260 additions and 13 deletions
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/api/CommonAPI.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/api/CommonAPI.java
@ -1,5 +1,6 @@
 package org.jeecg.common.api;

+import com.alibaba.fastjson.JSONObject;
 import org.jeecg.common.system.vo.*;

 import java.util.List;
@ -154,4 +155,11 @@ public interface CommonAPI {
     */
    void updateUserDepart(String username,String orgCode,Integer loginTenantId);

+    /**
+     * 设置登录租户
+     * @param username
+     * @return
+     */
+    JSONObject setLoginTenant(String username);
+
 }
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/CommonConstant.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/constant/CommonConstant.java
@ -78,7 +78,7 @@ public interface CommonConstant {
    /** 登录用户Shiro权限缓存KEY前缀 */
    public static String PREFIX_USER_SHIRO_CACHE  = "shiro:cache:org.jeecg.config.shiro.ShiroRealm.authorizationCache:";
    /** 登录用户Token令牌缓存KEY前缀 */
-    String PREFIX_USER_TOKEN  = "prefix_user_token:";
+    String PREFIX_USER_TOKEN  = "token::jeecg-client::";
 //    /** Token缓存时间：3600秒即一小时 */
 //    int  TOKEN_EXPIRE_TIME  = 3600;

--- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/system/util/JwtUtil.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/system/util/JwtUtil.java
@ -12,13 +12,20 @@ import com.google.common.base.Joiner;

 import java.io.IOException;
 import java.io.OutputStream;
+import java.util.ArrayList;
 import java.util.Date;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
 import jakarta.servlet.ServletResponse;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import jakarta.servlet.http.HttpSession;

 import lombok.extern.slf4j.Slf4j;
+import org.jeecg.common.api.CommonAPI;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.DataBaseConstant;
@ -31,7 +38,17 @@ import org.jeecg.common.util.DateUtils;
 import org.jeecg.common.util.SpringContextUtils;
 import org.jeecg.common.util.oConvertUtils;
 import org.jeecg.config.security.utils.SecureUtil;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.core.*;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
+import org.springframework.security.oauth2.server.authorization.token.DefaultOAuth2TokenContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext;
+import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator;

 /**
 * @Author Scott
@ -45,6 +62,8 @@ public class JwtUtil {
 	public static final long EXPIRE_TIME = (7 * 12) * 60 * 60 * 1000;
 	static final String WELL_NUMBER = SymbolConstant.WELL_NUMBER + SymbolConstant.LEFT_CURLY_BRACKET;

+	public static final String DEFAULT_CLIENT = "jeecg-client";
+
    /**
     *
     * @param response
@ -80,10 +99,9 @@ public class JwtUtil {
 	public static boolean verify(String token, String username, String secret) {
 		try {
 			// 根据密码生成JWT效验器
-			Algorithm algorithm = Algorithm.HMAC256(secret);
-			JWTVerifier verifier = JWT.require(algorithm).withClaim("username", username).build();
+			JwtDecoder jwtDecoder = SpringContextUtils.getBean(JwtDecoder.class);
 			// 效验TOKEN
-			DecodedJWT jwt = verifier.verify(token);
+			jwtDecoder.decode(token);
 			return true;
 		} catch (Exception exception) {
 			return false;
@ -98,7 +116,7 @@ public class JwtUtil {
 	public static String getUsername(String token) {
 		try {
 			DecodedJWT jwt = JWT.decode(token);
-			LoginUser loginUser = SecureUtil.currentUser();
+			LoginUser loginUser = JSONObject.parseObject(jwt.getClaim("sub").asString(), LoginUser.class);
 			return loginUser.getUsername();
 		} catch (JWTDecodeException e) {
 			return null;
@ -106,7 +124,7 @@ public class JwtUtil {
 	}

 	/**
-	 * 生成签名,5min后过期
+	 * 生成签名,5min后过期（暂未实现）
 	 *
 	 * @param username 用户名
 	 * @param secret   用户的密码
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/ClientService.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/ClientService.java
@ -0,0 +1,90 @@
+package org.jeecg.config.security;
+
+import lombok.AllArgsConstructor;
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat;
+import org.springframework.security.oauth2.server.authorization.settings.TokenSettings;
+import org.springframework.stereotype.Component;
+
+import java.time.Duration;
+import java.util.Set;
+
+/**
+ * spring authorization server 注册客户端便捷工具类
+ * @author eightmonth@qq.com
+ * @date 2024/3/7 11:22
+ */
+@Component
+@AllArgsConstructor
+public class ClientService {
+
+    private RegisteredClientRepository registeredClientRepository;
+
+    /**
+     * 修改客户端token有效期
+     * 认证码、设备码有效期与accessToken有效期保持一致
+     */
+    public void updateTokenValidation(String clientId, Long accessTokenValidation, Long refreshTokenValidation){
+        RegisteredClient registeredClient = findByClientId(clientId);
+        RegisteredClient.Builder builder = RegisteredClient.from(registeredClient);
+        TokenSettings tokenSettings = TokenSettings.builder()
+                .idTokenSignatureAlgorithm(SignatureAlgorithm.RS256)
+                .accessTokenTimeToLive(Duration.ofSeconds(accessTokenValidation))
+                .accessTokenFormat(OAuth2TokenFormat.SELF_CONTAINED)
+                .reuseRefreshTokens(true)
+                .refreshTokenTimeToLive(Duration.ofSeconds(refreshTokenValidation))
+                .authorizationCodeTimeToLive(Duration.ofSeconds(accessTokenValidation))
+                .deviceCodeTimeToLive(Duration.ofSeconds(accessTokenValidation))
+                .build();
+        builder.tokenSettings(tokenSettings);
+        registeredClientRepository.save(builder.build());
+    }
+
+    /**
+     * 修改客户端授权类型
+     * @param clientId
+     * @param grantTypes
+     */
+    public void updateGrantType(String clientId, Set<AuthorizationGrantType> grantTypes) {
+        RegisteredClient registeredClient = findByClientId(clientId);
+        RegisteredClient.Builder builder = RegisteredClient.from(registeredClient);
+        for (AuthorizationGrantType grantType : grantTypes) {
+            builder.authorizationGrantType(grantType);
+        }
+        registeredClientRepository.save(builder.build());
+    }
+
+    /**
+     * 修改客户端重定向uri
+     * @param clientId
+     * @param redirectUris
+     */
+    public void updateRedirectUris(String clientId, String redirectUris) {
+        RegisteredClient registeredClient = findByClientId(clientId);
+        RegisteredClient.Builder builder = RegisteredClient.from(registeredClient);
+        builder.redirectUri(redirectUris);
+        registeredClientRepository.save(builder.build());
+    }
+
+    /**
+     * 修改客户端授权范围
+     * @param clientId
+     * @param scopes
+     */
+    public void updateScopes(String clientId, Set<String> scopes) {
+        RegisteredClient registeredClient = findByClientId(clientId);
+        RegisteredClient.Builder builder = RegisteredClient.from(registeredClient);
+        for (String scope : scopes) {
+            builder.scope(scope);
+        }
+        registeredClientRepository.save(builder.build());
+    }
+
+    public RegisteredClient findByClientId(String clientId) {
+        return registeredClientRepository.findByClientId(clientId);
+    }
+
+}
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/JeecgPermissionService.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/JeecgPermissionService.java
@ -12,6 +12,7 @@ import org.springframework.util.StringUtils;
 import java.util.Set;

 /**
+ * spring authorization server自定义权限处理，根据@PreAuthorize注解，判断当前用户是否具备权限
 * @author EightMonth
 * @date 2024/1/10 17:00
 */
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/JeecgRedisOAuth2AuthorizationConsentService.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/JeecgRedisOAuth2AuthorizationConsentService.java
@ -9,6 +9,9 @@ import org.springframework.util.Assert;

 import java.util.concurrent.TimeUnit;

+/**
+ * spring authorization server 自定义redis保存授权范围信息
+ */
@Component
@RequiredArgsConstructor
 public class JeecgRedisOAuth2AuthorizationConsentService implements OAuth2AuthorizationConsentService {
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/JeecgRedisOAuth2AuthorizationService.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/JeecgRedisOAuth2AuthorizationService.java
@ -24,6 +24,7 @@ import java.util.Set;
 import java.util.concurrent.TimeUnit;

 /**
+ * spring authorization server自定义redis保存认证信息
 * @author EightMonth
 */
@Component
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/RedisTokenValidationFilter.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/RedisTokenValidationFilter.java
@ -0,0 +1,49 @@
+package org.jeecg.config.security;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.AllArgsConstructor;
+import org.jeecg.common.system.util.JwtUtil;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
+import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
+import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
+import org.springframework.security.oauth2.server.resource.BearerTokenErrors;
+import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+import java.util.Objects;
+
+/**
+ * 当用户被强退时，使客户端token失效
+ * @author eightmonth@qq.com
+ * @date 2024/3/7 17:30
+ */
+@Component
+@AllArgsConstructor
+public class RedisTokenValidationFilter extends OncePerRequestFilter {
+    private OAuth2AuthorizationService authorizationService;
+    private JwtDecoder jwtDecoder;
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+        // 从请求中获取token
+        DefaultBearerTokenResolver defaultBearerTokenResolver = new DefaultBearerTokenResolver();
+        String token = defaultBearerTokenResolver.resolve(request);
+
+
+        if (Objects.nonNull(token)) {
+            // 检查认证信息是否已被清除，如果已被清除，则令该token失效
+            OAuth2Authorization oAuth2Authorization = authorizationService.findByToken(token, OAuth2TokenType.ACCESS_TOKEN);
+            if (Objects.isNull(oAuth2Authorization)) {
+                throw new OAuth2AuthenticationException(BearerTokenErrors.invalidToken("认证信息已失效，请重新登录"));
+            }
+        }
+        filterChain.doFilter(request, response);
+    }
+}
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/SecurityConfig.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/SecurityConfig.java
@ -37,6 +37,7 @@ import org.springframework.security.oauth2.server.authorization.settings.Authori
 import org.springframework.security.oauth2.server.authorization.token.*;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.MediaTypeRequestMatcher;
 import org.springframework.web.cors.CorsConfiguration;
@ -49,6 +50,7 @@ import java.util.Arrays;
 import java.util.UUID;

 /**
+ * spring authorization server核心配置
 * @author eightmonth@qq.com
 * @date 2024/1/2 9:29
 */
@ -66,6 +68,7 @@ public class SecurityConfig {
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
            throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
+        // 注册自定义登录类型
        http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
                .tokenEndpoint(tokenEndpoint -> tokenEndpoint.accessTokenRequestConverter(new PasswordGrantAuthenticationConvert())
                        .authenticationProvider(new PasswordGrantAuthenticationProvider(authorizationService, tokenGenerator())))
@ -172,7 +175,7 @@ public class SecurityConfig {
    }

    /**
-     * 注册客户端信息
+     * 数据库保存注册客户端信息
     */
    @Bean
    public RegisteredClientRepository registeredClientRepository() {
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/app/AppGrantAuthenticationConvert.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/app/AppGrantAuthenticationConvert.java
@ -16,6 +16,7 @@ import java.util.HashMap;
 import java.util.Map;

 /**
+ * APP模式认证转换器
 * @author EightMonth
 * @date 2024/1/1
 */
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/app/AppGrantAuthenticationProvider.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/app/AppGrantAuthenticationProvider.java
@ -1,5 +1,6 @@
 package org.jeecg.config.security.app;

+import com.alibaba.fastjson.JSONObject;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.CommonAPI;
 import org.jeecg.common.constant.CommonConstant;
@ -40,6 +41,7 @@ import java.util.stream.Collectors;
 import java.util.stream.Stream;

 /**
+ * APP模式认证处理器，负责处理该认证模式下的核心逻辑
 * @author EightMonth
 * @date 2024/1/1
 */
@ -85,7 +87,7 @@ public class AppGrantAuthenticationProvider implements AuthenticationProvider {
        String captcha = (String) additionalParameter.get("captcha");
        String checkKey = (String) additionalParameter.get("checkKey");

-
+        // 检查登录失败次数
        if(isLoginFailOvertimes(username)){
            throw new JeecgBootException("该用户登录失败次数过多，请于10分钟后再次登录！");
        }
@ -112,6 +114,7 @@ public class AppGrantAuthenticationProvider implements AuthenticationProvider {
            throw new JeecgBootException("非法登录");
        }

+        // 通过用户名获取用户信息
        LoginUser loginUser = commonAPI.getUserByName(username);
        // 检查用户可行性
        checkUserIsEffective(loginUser);
@ -180,6 +183,7 @@ public class AppGrantAuthenticationProvider implements AuthenticationProvider {

        OAuth2Authorization authorization = authorizationBuilder.build();

+        // 保存认证信息至redis
        authorizationService.save(authorization);

        // 登录成功，删除redis中的验证码
@ -187,7 +191,12 @@ public class AppGrantAuthenticationProvider implements AuthenticationProvider {
        redisUtil.del(CommonConstant.LOGIN_FAIL + username);
        baseCommonService.addLog("用户名: " + username + ",登录成功！", CommonConstant.LOG_TYPE_1, null,loginUser);

-        Map<String, Object> addition = new HashMap<>();
+        JSONObject addition = new JSONObject(new LinkedHashMap<>());
+
+        // 设置租户
+        JSONObject jsonObject = commonAPI.setLoginTenant(username);
+        addition.putAll(jsonObject.getInnerMap());
+
        // 设置登录用户信息
        addition.put("userInfo", loginUser);
        addition.put("sysAllDictItems", commonAPI.queryAllDictItems());
@ -207,6 +216,7 @@ public class AppGrantAuthenticationProvider implements AuthenticationProvider {
            addition.put("multi_depart", 2);
        }

+        // 返回access_token、refresh_token以及其它信息给到前端
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken, refreshToken, addition);
    }

--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/app/AppGrantAuthenticationToken.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/app/AppGrantAuthenticationToken.java
@ -8,6 +8,7 @@ import org.springframework.security.oauth2.server.authorization.authentication.O
 import java.util.Map;

 /**
+ * APP模式认证专用token类型，方法spring authorization server进行认证流转，配合convert使用
 * @author EightMonth
 * @date 2024/1/1
 */
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/password/PasswordGrantAuthenticationConvert.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/password/PasswordGrantAuthenticationConvert.java
@ -17,6 +17,7 @@ import java.util.HashMap;
 import java.util.Map;

 /**
+ * 密码模式认证转换器
 * @author EightMonth
 * @date 2024/1/1
 */
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/password/PasswordGrantAuthenticationProvider.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/password/PasswordGrantAuthenticationProvider.java
@ -1,5 +1,6 @@
 package org.jeecg.config.security.password;

+import com.alibaba.fastjson.JSONObject;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.CommonAPI;
 import org.jeecg.common.constant.CommonConstant;
@ -41,6 +42,7 @@ import java.util.stream.Collectors;
 import java.util.stream.Stream;

 /**
+ * 密码模式认证处理器，负责处理该认证模式下的核心逻辑
 * @author EightMonth
 * @date 2024/1/1
 */
@ -86,7 +88,7 @@ public class PasswordGrantAuthenticationProvider implements AuthenticationProvid
        String captcha = (String) additionalParameter.get("captcha");
        String checkKey = (String) additionalParameter.get("checkKey");

-
+        // 检查登录失败次数
        if(isLoginFailOvertimes(username)){
            throw new JeecgBootException("该用户登录失败次数过多，请于10分钟后再次登录！");
        }
@ -113,6 +115,7 @@ public class PasswordGrantAuthenticationProvider implements AuthenticationProvid
            throw new JeecgBootException("非法登录");
        }

+        // 通过用户名获取用户信息
        LoginUser loginUser = commonAPI.getUserByName(username);
        // 检查用户可行性
        checkUserIsEffective(loginUser);
@ -181,6 +184,7 @@ public class PasswordGrantAuthenticationProvider implements AuthenticationProvid

        OAuth2Authorization authorization = authorizationBuilder.build();

+        // 保存认证信息至redis
        authorizationService.save(authorization);

        // 登录成功，删除redis中的验证码
@ -188,7 +192,12 @@ public class PasswordGrantAuthenticationProvider implements AuthenticationProvid
        redisUtil.del(CommonConstant.LOGIN_FAIL + username);
        baseCommonService.addLog("用户名: " + username + ",登录成功！", CommonConstant.LOG_TYPE_1, null,loginUser);

-        Map<String, Object> addition = new HashMap<>();
+        JSONObject addition = new JSONObject(new LinkedHashMap<>());
+
+        // 设置租户
+        JSONObject jsonObject = commonAPI.setLoginTenant(username);
+        addition.putAll(jsonObject.getInnerMap());
+
        // 设置登录用户信息
        addition.put("userInfo", loginUser);
        addition.put("sysAllDictItems", commonAPI.queryAllDictItems());
@ -208,6 +217,7 @@ public class PasswordGrantAuthenticationProvider implements AuthenticationProvid
            addition.put("multi_depart", 2);
        }

+        // 返回access_token、refresh_token以及其它信息给到前端
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken, refreshToken, addition);
    }

--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/password/PasswordGrantAuthenticationToken.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/password/PasswordGrantAuthenticationToken.java
@ -8,6 +8,7 @@ import org.springframework.security.oauth2.server.authorization.authentication.O
 import java.util.Map;

 /**
+ * 密码模式认证专用token类型，方法spring authorization server进行认证流转，配合convert使用
 * @author EightMonth
 * @date 2024/1/1
 */
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/phone/PhoneGrantAuthenticationConvert.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/phone/PhoneGrantAuthenticationConvert.java
@ -16,6 +16,7 @@ import java.util.HashMap;
 import java.util.Map;

 /**
+ * 手机号模式认证转换器
 * @author EightMonth
 * @date 2024/1/1
 */
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/phone/PhoneGrantAuthenticationProvider.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/phone/PhoneGrantAuthenticationProvider.java
@ -1,5 +1,6 @@
 package org.jeecg.config.security.phone;

+import com.alibaba.fastjson.JSONObject;
 import lombok.extern.slf4j.Slf4j;
 import org.jeecg.common.api.CommonAPI;
 import org.jeecg.common.constant.CommonConstant;
@ -40,6 +41,7 @@ import java.util.stream.Collectors;
 import java.util.stream.Stream;

 /**
+ * 手机号模式认证处理器，负责处理该认证模式下的核心逻辑
 * @author EightMonth
 * @date 2024/1/1
 */
@ -87,6 +89,7 @@ public class PhoneGrantAuthenticationProvider implements AuthenticationProvider
        // 验证码
        String captcha = (String) additionalParameter.get("captcha");

+        // 通过手机号获取用户信息
        LoginUser loginUser = commonAPI.getUserByPhone(phone);
        // 检查用户可行性
        checkUserIsEffective(loginUser);
@ -166,11 +169,17 @@ public class PhoneGrantAuthenticationProvider implements AuthenticationProvider

        OAuth2Authorization authorization = authorizationBuilder.build();

+        // 保存认证信息至redis
        authorizationService.save(authorization);

        baseCommonService.addLog("用户名: " + loginUser.getUsername() + ",登录成功！", CommonConstant.LOG_TYPE_1, null,loginUser);

-        Map<String, Object> addition = new HashMap<>();
+        JSONObject addition = new JSONObject(new LinkedHashMap<>());
+
+        // 设置租户
+        JSONObject jsonObject = commonAPI.setLoginTenant(loginUser.getUsername());
+        addition.putAll(jsonObject.getInnerMap());
+
        // 设置登录用户信息
        addition.put("userInfo", loginUser);
        addition.put("sysAllDictItems", commonAPI.queryAllDictItems());
@ -190,6 +199,7 @@ public class PhoneGrantAuthenticationProvider implements AuthenticationProvider
            addition.put("multi_depart", 2);
        }

+        // 返回access_token、refresh_token以及其它信息给到前端
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken, refreshToken, addition);
    }

--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/phone/PhoneGrantAuthenticationToken.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/phone/PhoneGrantAuthenticationToken.java
@ -8,6 +8,7 @@ import org.springframework.security.oauth2.server.authorization.authentication.O
 import java.util.Map;

 /**
+ * 手机号模式认证专用token类型，方法spring authorization server进行认证流转，配合convert使用
 * @author EightMonth
 * @date 2024/1/1
 */
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/social/SocialGrantAuthenticationConvert.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/social/SocialGrantAuthenticationConvert.java
@ -16,6 +16,7 @@ import java.util.HashMap;
 import java.util.Map;

 /**
+ * 社交模式认证转换器，配合github、企业微信、钉钉、微信登录使用
 * @author EightMonth
 * @date 2024/1/1
 */
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/social/SocialGrantAuthenticationProvider.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/social/SocialGrantAuthenticationProvider.java
@ -1,5 +1,6 @@
 package org.jeecg.config.security.social;

+import com.alibaba.fastjson.JSONObject;
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.interfaces.DecodedJWT;
 import lombok.extern.slf4j.Slf4j;
@ -38,6 +39,7 @@ import java.util.stream.Collectors;
 import java.util.stream.Stream;

 /**
+ * 社交模式认证处理器，负责处理该认证模式下的核心逻辑，配合github、企业微信、钉钉、微信登录使用
 * @author EightMonth
 * @date 2024/1/1
 */
@ -84,6 +86,7 @@ public class SocialGrantAuthenticationProvider implements AuthenticationProvider
        DecodedJWT jwt = JWT.decode(token);
        String username = jwt.getClaim("username").asString();

+        // 通过手机号获取用户信息
        LoginUser loginUser = commonAPI.getUserByName(username);
        // 检查用户可行性
        checkUserIsEffective(loginUser);
@ -152,11 +155,17 @@ public class SocialGrantAuthenticationProvider implements AuthenticationProvider

        OAuth2Authorization authorization = authorizationBuilder.build();

+        // 保存认证信息至redis
        authorizationService.save(authorization);

        baseCommonService.addLog("用户名: " + loginUser.getUsername() + ",登录成功！", CommonConstant.LOG_TYPE_1, null,loginUser);

-        Map<String, Object> addition = new HashMap<>();
+        JSONObject addition = new JSONObject(new LinkedHashMap<>());
+
+        // 设置租户
+        JSONObject jsonObject = commonAPI.setLoginTenant(loginUser.getUsername());
+        addition.putAll(jsonObject.getInnerMap());
+
        // 设置登录用户信息
        addition.put("userInfo", loginUser);
        addition.put("sysAllDictItems", commonAPI.queryAllDictItems());
@ -176,6 +185,7 @@ public class SocialGrantAuthenticationProvider implements AuthenticationProvider
            addition.put("multi_depart", 2);
        }

+        // 返回access_token、refresh_token以及其它信息给到前端
        return new OAuth2AccessTokenAuthenticationToken(registeredClient, clientPrincipal, accessToken, refreshToken, addition);
    }

--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/social/SocialGrantAuthenticationToken.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/social/SocialGrantAuthenticationToken.java
@ -8,6 +8,7 @@ import org.springframework.security.oauth2.server.authorization.authentication.O
 import java.util.Map;

 /**
+ * 社交模式认证专用token类型，方法spring authorization server进行认证流转，配合convert使用，配合github、企业微信、钉钉、微信登录使用
 * @author EightMonth
 * @date 2024/1/1
 */
--- a/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/utils/SecureUtil.java
+++ b/jeecg-boot-base-core/src/main/java/org/jeecg/config/security/utils/SecureUtil.java
@ -2,14 +2,20 @@ package org.jeecg.config.security.utils;

 import com.alibaba.fastjson2.JSONObject;
 import org.jeecg.common.system.vo.LoginUser;
+import org.jeecg.common.util.SpringContextUtils;
 import org.springframework.security.core.context.SecurityContextHolder;

 /**
+ * 认证信息工具类
 * @author EightMonth
 * @date 2024/1/10 17:03
 */
 public class SecureUtil {

+    /**
+     * 通过当前认证信息获取用户信息
+     * @return
+     */
    public static LoginUser currentUser() {
        String name = SecurityContextHolder.getContext().getAuthentication().getName();
        return JSONObject.parseObject(name, LoginUser.class);
--- a/jeecg-module-system/jeecg-system-api/jeecg-system-cloud-api/src/main/java/org/jeecg/common/system/api/ISysBaseAPI.java
+++ b/jeecg-module-system/jeecg-system-api/jeecg-system-cloud-api/src/main/java/org/jeecg/common/system/api/ISysBaseAPI.java
@ -749,4 +749,6 @@ public interface ISysBaseAPI extends CommonAPI {
    @PostMapping("/sys/api/updateUserDepart")
    void updateUserDepart(@RequestParam("username") String username,@RequestParam("orgCode") String orgCode,@RequestParam("loginTenantId") Integer loginTenantId);

+    @GetMapping("/sys/api/setLoginTenant")
+    JSONObject setLoginTenant(@RequestParam("username") String username);
 }
--- a/jeecg-module-system/jeecg-system-api/jeecg-system-cloud-api/src/main/java/org/jeecg/common/system/api/fallback/SysBaseAPIFallback.java
+++ b/jeecg-module-system/jeecg-system-api/jeecg-system-cloud-api/src/main/java/org/jeecg/common/system/api/fallback/SysBaseAPIFallback.java
@ -452,4 +452,9 @@ public class SysBaseAPIFallback implements ISysBaseAPI {
    public LoginUser getUserByPhone(String phone) {
        return null;
    }
+
+    @Override
+    public JSONObject setLoginTenant(String username) {
+        return null;
+    }
 }
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/api/controller/SystemApiController.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/api/controller/SystemApiController.java
@ -917,4 +917,9 @@ public class SystemApiController {
        sysBaseApi.updateUserDepart(username, orgCode, loginTenantId);
    }

+    @GetMapping("/sys/api/setLoginTenant")
+    public JSONObject setLoginTenant(@RequestParam("username") String username) {
+        return sysBaseApi.setLoginTenant(username);
+    }
+
 }
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysBaseApiImpl.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/service/impl/SysBaseApiImpl.java
@ -20,6 +20,7 @@ import org.apache.commons.lang3.ObjectUtils;
 import org.jeecg.common.api.dto.DataLogDTO;
 import org.jeecg.common.api.dto.OnlineAuthDTO;
 import org.jeecg.common.api.dto.message.*;
+import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.aspect.UrlMatchEnum;
 import org.jeecg.common.config.TenantContext;
 import org.jeecg.common.constant.*;
@ -1780,4 +1781,11 @@ public class SysBaseApiImpl implements ISysBaseAPI {
 		}
 	}

+	@Override
+	public JSONObject setLoginTenant(String username) {
+		JSONObject obj = new JSONObject(new LinkedHashMap<>());
+		SysUser sysUser = sysUserService.getUserByName(username);
+		sysUserService.setLoginTenant(sysUser, obj, username, null);
+		return obj;
+	}
 }