想象一个情况:Foobar Inc.的分析师 对公司的市场状况和业务流程进行了透彻的研究,得出的结论是,为了优化成本并显着提高Foobar的利润,流鼻血需要一个Telegram机器人伴侣,可以在困难时期为员工加油。
自然,Foobar不能允许阴险的竞争者仅通过将其机器人添加到联系人中来利用其专有技术。因此,该机器人仅需与Foobar员工进行交谈,这些员工通过基于OpenId Connect的公司单点登录(SSO)进行身份验证。
理论上
OpenId Connect(OIDC)是基于OAuth 2.0系列规范的身份验证协议。其中,身份验证过程可以根据称为流的各种场景进行,并且包括三个方面:
- 资源所有者-用户;
- 客户-请求认证的应用程序;
- 授权服务器(授权服务器)-一种存储有关用户的信息并能够对其进行身份验证的应用程序。
JWT- (JSON Web Token). OIDC, , , OIDC.
, , : Telegram- SSO. .
, . OIDC :
- (authorization code flow),
- (implicit flow),
- (hybrid flow),
- , OAuth 2.0.
— HTTP, .
:
- .
- .
- .
- (, ).
- callback URL .
- ID .
- .
, , , ID , , Telegram- .
state , (XSRF). state 2 URL , 5 callback URL . , 2 state id Telegram-, 7 state id Telegram- . !
, , :
- Keycloak — open source (Identity and Access Management), OAuth 2.0, Open ID Connect SAML.
- Spring Boot .
- TelegramBots — Java Telegram-. — Spring Boot.
- ScribeJava — OAuth Java. , OAuth , Keycloak. , Keycloak - , Spring Boot — . Keycloak , — Telegram-, state id Telegram-, .
- Java JWT Auth0 — JWT Java, ID .
:
@Component
public class Bot extends TelegramLongPollingBot {
private final OidcService oidcService;
@Override
public void onUpdateReceived(Update update) {
if (!update.hasMessage()) {
log.debug("Update has no message. Skip processing.");
return;
}
var userId = update.getMessage().getFrom().getId();
var chatId = update.getMessage().getChatId();
oidcService.findUserInfo(userId).ifPresentOrElse(
userInfo -> greet(userInfo, chatId),
() -> askForLogin(userId, chatId));
}
private void greet(UserInfo userInfo, Long chatId) {
var username = userInfo.getPreferredUsername();
var message = String.format(
"Hello, <b>%s</b>!\nYou are the best! Have a nice day!",
username);
sendHtmlMessage(message, chatId);
}
private void askForLogin(Integer userId, Long chatId) {
var url = oidcService.getAuthUrl(userId);
var message = String.format("Please, <a href=\"%s\">log in</a>.", url);
sendHtmlMessage(message, chatId);
}
}
— UserInfo id Telegram- URL :
@Service
public class OidcService {
private final OAuth20Service oAuthService;
private final UserTrackerStorage userTrackers;
private final TokenStorage accessTokens;
public Optional<UserInfo> findUserInfo(Integer userId) {
return accessTokens.find(userId)
.map(UserInfo::of);
}
public String getAuthUrl(Integer userId) {
var state = UUID.randomUUID().toString();
userTrackers.put(state, userId);
return oAuthService.getAuthorizationUrl(state);
}
}
, , :
public class UserInfo {
private final String subject;
private final String preferredUsername;
static UserInfo of(OpenIdOAuth2AccessToken token) {
var jwt = JWT.decode(token.getOpenIdToken());
var subject = jwt.getSubject();
var preferredUsername = jwt.getClaim("preferred_username").asString();
return new UserInfo(subject, preferredUsername);
}
}
OAuth20Service:
@Configuration
@EnableConfigurationProperties(OidcProperties.class)
class OidcAutoConfiguration {
@Bean
OAuth20Service oAuthService(OidcProperties properties) {
return new ServiceBuilder(properties.getClientId())
.apiSecret(properties.getClientSecret())
.defaultScope("openid offline_access")
.callback(properties.getCallback())
.build(KeycloakApi.instance(properties.getBaseUrl(), properties.getRealm()));
}
}
Callback endpoint :
@Component
@Path("/auth")
public class AuthEndpoint {
private final URI botUri;
private final OidcService oidcService;
@GET
@Produces("text/plain; charset=UTF-8")
public Response auth(
@QueryParam("state") String state,
@QueryParam("code") String code) {
return oidcService.completeAuth(state, code)
.map(userInfo -> Response.temporaryRedirect(botUri).build())
.orElseGet(() -> Response.serverError().entity("Cannot complete authentication").build());
}
}
OidcService, completeAuth:
@Service
public class OidcService {
private final OAuth20Service oAuthService;
private final UserTrackerStorage userTrackers;
private final TokenStorage accessTokens;
public Optional<UserInfo> completeAuth(String state, String code) {
return userTrackers.find(state)
.map(userId -> requestAndStoreToken(code, userId))
.map(UserInfo::of);
}
private OpenIdOAuth2AccessToken requestAndStoreToken(
String code,
Integer userId) {
var token = requestToken(code);
accessTokens.put(userId, token);
return token;
}
private OpenIdOAuth2AccessToken requestToken(String code) {
try {
return (OpenIdOAuth2AccessToken) oAuthService.getAccessToken(code);
} catch (IOException | InterruptedException | ExecutionException e) {
throw new RuntimeException("Cannot get access token", e);
}
}
}
!
, , , , . , - , / .
这些问题已在更多分支机构的OAuth客户端(如Spring Security和Google OAuth Client)中为我们解决。但是出于演示目的,我们还可以:)
所有资源都可以在GitHub上找到。