欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

accessToken refreshToken简单使用源码demo,双token刷新及有效时间设置

程序员文章站 2022-03-26 18:22:41
...

最后会附上源码

这篇介绍了一个项目中使用的双token登录认证刷新的demo,如需移植到生产项目中,需要根据实际情况做修改。
有个地方需要注意: 我这里刷新产生新的refreshToken时 旧的refreshToken并没有失效,如果不是特别敏感这点的话可以不计较,若是在意的话,那需要自己处理:比如用缓存记录失效的token每次token认证判断是否是失效的token ,如果是的话就返回验证失败。

下面代码中会用到本地redis缓存,如果没有安装或不会用,看下我之前的博文
win7_64 redis下载安装启动服务
springboot集成redis,redis工具类
spingboot redis demo源码

如果对token还不是很了解 , 那么建议先看个我之前写的用java标准处理token的库jwt 实现的一个简单token的生成、认证过程 demo:
基于JWT规范的JWS实现token认证过程,采用JWT库jose4j,附springboot项目 demo源码下载
如果对双token accessToken refreshToken时长设置以及刷新问题 不清楚的可以看下
双token刷新、续期,access_token和refresh_token实效如何设置

demo目录结构及代码

accessToken refreshToken简单使用源码demo,双token刷新及有效时间设置

核心代码

java jwt库 jose4j的依赖

        <!-- https://mvnrepository.com/artifact/org.bitbucket.b_c/jose4j -->
        <dependency>
            <groupId>org.bitbucket.b_c</groupId>
            <artifactId>jose4j</artifactId>
            <version>0.6.5</version>
        </dependency>

redis 依赖

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-redis</artifactId>
        </dependency>
    </dependencies>

实体类 User

package com.example.token_demo.entity;

/**
 * @author:
 * @create: 2019-10-16 09:59
 **/
public class User {
    public String account;
    public String password;
    public String lastLoginTime;

    public User(){

    }

    public User(String account, String password) {
        this.account = account;
        this.password = password;
    }

    public String getAccount() {
        return account;
    }

    public void setAccount(String account) {
        this.account = account;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public String getLastLoginTime() {
        return lastLoginTime;
    }

    public void setLastLoginTime(String lastLoginTime) {
        this.lastLoginTime = lastLoginTime;
    }

    @Override
    public String toString() {
        return "User{" +
                "account='" + account + '\'' +
                ", lastLoginTime='" + lastLoginTime + '\'' +
                '}';
    }
}

双token使用web类 AccountController

package com.example.token_demo.controller;

import com.example.token_demo.entity.User;
import com.example.token_demo.redis.RedisUtil;
import com.example.token_demo.service.AuthorizationService;
import org.jose4j.json.internal.json_simple.JSONObject;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

import java.util.Date;

/**
 * @author:
 * @create: 2019-10-16 10:02
 **/
@RestController
public class AccountController {

    @Autowired
    AuthorizationService authorizationService;

    @Autowired
    RedisUtil cache;

    /**
     * 注册
     * @param account
     * @param password
     * @return
     */
    @GetMapping("/register")
    public String register(@RequestParam(name = "account") String account,
                           @RequestParam(name = "password") String password){
        JSONObject ret = new JSONObject();
        //简单校验下非空
        if(account == null || account.equals("") || password == null || password.equals("")){
            ret.put("code","1");
            ret.put("desc","account | password can not empty");
            return ret.toString();
        }

        //注册成功,这里没有判断要注册的用户是否存在
        //...

        //写入数据库成功后缓存(数据库操作这里就忽略了)
        cache.set("user"+account,new User(account,password));

        //response
        ret.put("code","0");
        ret.put("desc","ok");
        return ret.toString();
    }

    /**
     * 登录
     * @param account
     * @param password
     * @return
     */
    @GetMapping("/login")
    public String login(@RequestParam(name = "account") String account,
                        @RequestParam(name = "password") String password){
        JSONObject ret = new JSONObject();
        User user = cache.get("user"+account);
        //如果缓存account获取user为null,从数据库获取user
        //...

        if(user != null && password != null && password.equals(user.getPassword())){
            //登录成功
            //创建token
            String accessToken = authorizationService.createAccessIdToken(account);
            String refreshToken = authorizationService.createRefreshIdToken(account);
            if(accessToken == null || refreshToken == null){
                ret.put("code","1");
                ret.put("desc","failed");
                return ret.toString();
            }

            //缓存当前登录用户 refreshToken 创建的起始时间,这个会在刷新accessToken方法中 判断是否要重新生成(刷新)refreshToken时用到
            cache.set("id_refreshTokenStartTime"+account,System.currentTimeMillis(),(int)AuthorizationService.refreshTokenExpirationTime);

            //更新用户最近登录时间
            user.setLastLoginTime(new Date().toLocaleString());
            //更新user到数据库成功后缓存(数据库操作这里就忽略了)
            cache.set("user"+account,user);

            //response
            ret.put("code","0");
            ret.put("desc","ok");
            ret.put("accessToken",accessToken);
            ret.put("refreshToken",refreshToken);
            return ret.toString();
        }
        ret.put("code","1");
        ret.put("desc","failed");
        return ret.toString();
    }

    /**
     * 用 refreshToken 来刷新 accessToken
     * @param refreshToken refreshToken
     * @return
     */
    @GetMapping("/accessToken/refresh/{refreshToken}")
    public String accessTokenRefresh(@PathVariable("refreshToken") String refreshToken){
        //刷新accessToken:生成新的accessToken
        String account = authorizationService.verifyToken(refreshToken);
        JSONObject ret = new JSONObject();
        if(account == null){
            //通过返回码 告诉客户端 refreshToken过期了,需要客户端就得跳转登录界面
            ret.put("code","3");//我这里只是演示,返回3表示 refreshToken过期
            ret.put("desc","failed");
            return ret.toString();
        }
        //创建新的accessToken
        String accessToken = authorizationService.createAccessIdToken(account);

        //下面判断是否刷新 refreshToken,如果refreshToken 快过期了 需要重新生成一个替换掉
        long minTimeOfRefreshToken = 2*AuthorizationService.accessTokenExpirationTime;//refreshToken 有效时长是应该为accessToken有效时长的2倍 (我在博文里有介绍)
        Long refreshTokenStartTime = cache.get("id_refreshTokenStartTime"+account);//refreshToken创建的起始时间点
        //(refreshToken上次创建的时间点 + refreshToken的有效时长 - 当前时间点) 表示refreshToken还剩余的有效时长,如果小于2倍accessToken时长 ,则刷新 refreshToken
        if(refreshTokenStartTime == null || (refreshTokenStartTime + AuthorizationService.refreshTokenExpirationTime*1000) - System.currentTimeMillis() <= minTimeOfRefreshToken*1000){
            //刷新refreshToken
            refreshToken = authorizationService.createRefreshIdToken(account);
            cache.set("id_refreshTokenStartTime"+account,System.currentTimeMillis(),(int)AuthorizationService.refreshTokenExpirationTime);
        }

        //response
        ret.put("code","0");
        ret.put("desc","ok");
        ret.put("accessToken",accessToken);
        ret.put("refreshToken",refreshToken);
        return ret.toString();
    }

    /**
     * 查询用户信息
     * @param accessToken accessToken
     * @return
     */
    @GetMapping("/user/{accessToken}")
    public String userInfo(@PathVariable("accessToken") String accessToken){
        String account = authorizationService.verifyToken(accessToken);
        System.out.println("account="+account);
        JSONObject ret = new JSONObject();
        if(account == null){
            //通过返回码 告诉客户端 accessToken过期了,需要调用刷新accessToken的接口
            ret.put("code","2");//我这里只是演示,返回2表示 accessToken过期
            ret.put("desc","accessToken expire");
            return ret.toString();
        }

        User user = cache.get("user"+account);
        //如果缓存的user为null 从数据库查询...
        //...

        //response
        ret.put("code","0");
        ret.put("desc","ok");
        ret.put("user",user);
        return ret.toJSONString();
    }
}

keyPair生成,token创建、认证服务类 AuthorizationService

package com.example.token_demo.service;

import org.jose4j.json.JsonUtil;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.RsaJwkGenerator;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.lang.JoseException;
import org.springframework.stereotype.Service;

import java.security.PrivateKey;
import java.util.UUID;

/**
 * @author:
 * @create: 2019-10-16 09:36
 **/
@Service
public class AuthorizationService {
    /**
     *   keyId,公钥,私钥 都是用 createKeyPair 方法生成,在本地执行当前类main方法,然后将生成的keyPair 赋值给privateKeyStr和publicKeyStr
     */
    private static String keyId = "0fb0e71291734057be4bd506b5aeb855";
    private static String privateKeyStr = "{\"kty\":\"RSA\",\"kid\":\"0fb0e71291734057be4bd506b5aeb855\",\"alg\":\"ES256\",\"n\":\"sMEUzPmJQD2QR30PZxBSyutWLQ_HZpekDlJCjw-FUNVJa2LOOEz2Gs2pyPg7GHyBhJSFefdGh4LciCxNuE387unTFYt-kLaSEzPKHLyCI8vwMFCSasPIlqbtlCjSm_R4A-C6gcXrPvFOoCk7dOFM9z5yJXGcwhMq7ZBSDVSoYsio9bmfyNQgdueWeibDL4_YrOhW8PLcDKbNJ7a9CPJRyEp-gRbHABDKVva_Tt98O_KPDNVApzhVbk7dhC2OEvKSRAqiPQT1VVYiOTUY0QOky-52hnYrYKHEoyJzymsrcraQxA-mLk80icBY7WwPupQF9v-3pgN8AmKrs-dgHoXN8Q\",\"e\":\"AQAB\",\"d\":\"Prw5Qstq4Kc5N3Z26hDMIgPHcXUBRDOcYgzmXNqYaelaBshqA2eljjvjAFbCut0uJz2D5pdSrDRRS-_Vog3kMXRCnIoHYRu72x7tpKdv1X7EAJIIdeaJopcbChQ3NG1fz5iK-haieZOyYXxhAwoYhETgxNN_XQ7qlKk9xkd_AJg6LVV5qh4Ackm51yGf8PdpOkU38suIzxRu_-Ra6-CVr5oeTzLowPisQrvpc3poQNwSY-5mBE_l0sGTIocGCG7xuMdbvACACXoTZ1cJigL_6Cvvd8HpL2gMsJVI_KM6ZKO681ZKay_f_ielJL7wxpkfVIFlJtqDYVjybGqYByWlQQ\",\"p\":\"7IwwVhBhCCr_noJkAK5xwllD05nU_I7zpfE-mzST6Q-7a1dScWb_ZmDM2O1py_IYaB7V42zZzoXrBMG4ZYwO_dfKhBxOKqwohPQY53d5Y8wGzAqoMz6zgjz4P0x_hPzYKIjV6-l-NDgrkbjIaL8RCnP_0fxpxMV6jebaC-QOPNk\",\"q\":\"v0oeiMD15o8rjWFz8sHWVwVVUJJSOxKJQRJ8_NZdwOgEVwUVQjftpFQa6IiTMowUd7t8AKcMyYzXbZvFe0tqTtZ8ccbn_GrMKVrfzoIn1QtaOgV1MCtWfej88afyxT6QhoHB5BLZFp2W5iB8uEyc1dUz-qiJXrX5oPYJWeNZytk\",\"dp\":\"Cvu7ZtOd3cY5Vj_RquJur8p7RsD2zb9JeuQHtycq0wCDAEnurwtMQpGuEUh8yBZ2oacE4Wl1d4xqTC8-g6CMNacmZRn3Wy3hN8MpwN2gSkz359N62d5IcXypPi8sIJ2o38DyxeBylrQg-cQtsgdlICogr7xboOJWfW5Bo5m0O4k\",\"dq\":\"SVZ7WmbQX_Kn-e5Q69NQ_8_1o4xVpnw2zxHthWoSS7EoaMx0GA0lOQldv6UM-iYmerkQk5d4GZW7yjQchGanfU5SK7TcoDO5zmkewSe5ab6Oeww4n50d7evzfhqrwt93vXnmAjEPtdH5VoVCC86jmn_BC-qtr_gImqN5dlLpzBE\",\"qi\":\"YZAFG3X3qrMz_wPFwPJu2CA36rvd1hxv6-tYVWneOlAQaDsRHlmfN4IXdYLsljtDi_Qp-I-Z0LPnZFMgiTUPQ8yzWUPJ31YpZePDxMtc5esI0M19ktofqVrH-NxPKvGLfPBsD5p_u5OtKkztr_Vq6yXhj3tSO8TPSXheUILxmdE\"}";
    private static String publicKeyStr = "{\"kty\":\"RSA\",\"kid\":\"0fb0e71291734057be4bd506b5aeb855\",\"alg\":\"ES256\",\"n\":\"sMEUzPmJQD2QR30PZxBSyutWLQ_HZpekDlJCjw-FUNVJa2LOOEz2Gs2pyPg7GHyBhJSFefdGh4LciCxNuE387unTFYt-kLaSEzPKHLyCI8vwMFCSasPIlqbtlCjSm_R4A-C6gcXrPvFOoCk7dOFM9z5yJXGcwhMq7ZBSDVSoYsio9bmfyNQgdueWeibDL4_YrOhW8PLcDKbNJ7a9CPJRyEp-gRbHABDKVva_Tt98O_KPDNVApzhVbk7dhC2OEvKSRAqiPQT1VVYiOTUY0QOky-52hnYrYKHEoyJzymsrcraQxA-mLk80icBY7WwPupQF9v-3pgN8AmKrs-dgHoXN8Q\",\"e\":\"AQAB\"}";

    public static long accessTokenExpirationTime = 60;
    public static long refreshTokenExpirationTime = 60*3;

    public String createAccessIdToken(String userId) {
        return createIdToken(userId,accessTokenExpirationTime);
    }

    public String createRefreshIdToken(String userId) {
        return createIdToken(userId,refreshTokenExpirationTime);
    }

    public String createIdToken(String account,long expirationTime) {
        try {
            //Claims
            JwtClaims claims = new JwtClaims();
            claims.setGeneratedJwtId();
            claims.setIssuedAtToNow();
            //expire time
            NumericDate date = NumericDate.now();
            date.addSeconds(expirationTime);
            claims.setExpirationTime(date);
            claims.setNotBeforeMinutesInThePast(1);
            claims.setSubject("YOUR_SUBJECT");
            claims.setAudience("YOUR_AUDIENCE");
            //添加自定义参数,必须是字符串类型
            claims.setClaim("account", account);

            //jws
            JsonWebSignature jws = new JsonWebSignature();
            jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
            jws.setKeyIdHeaderValue(keyId);
            jws.setPayload(claims.toJson());
            PrivateKey privateKey = new RsaJsonWebKey(JsonUtil.parseJson(privateKeyStr)).getPrivateKey();
            jws.setKey(privateKey);

            //get token
            String idToken = jws.getCompactSerialization();
            return idToken;
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }

    /**
     * jws校验token
     *
     * @param token
     * @return 返回 用户账号
     * @throws JoseException
     */
    public String verifyToken(String token) {
        try {
            JwtConsumer consumer = new JwtConsumerBuilder()
                    .setRequireExpirationTime()
                    .setMaxFutureValidityInMinutes(5256000)
                    //allow some leeway in validating time based claims to account for clock skew
                    //过期后30秒内还能解析成功
                    .setAllowedClockSkewInSeconds(30)
                    .setRequireSubject()
                    //.setExpectedIssuer("")
                    .setExpectedAudience("YOUR_AUDIENCE")
                    /*
                    RsaJsonWebKey jwk = null;
                    try {
                        jwk = RsaJwkGenerator.generateJwk(2048);
                        } catch (JoseException e) {
                            e.printStackTrace();
                        }
                        jwk.setKeyId(keyId); */
                    //.setVerificationKey(jwk.getPublicKey())
                    .setVerificationKey(new RsaJsonWebKey(JsonUtil.parseJson(publicKeyStr)).getPublicKey())
                    .build();

            JwtClaims claims = consumer.processToClaims(token);
            if (claims != null) {
                String account = (String) claims.getClaimValue("account");
                System.out.println("认证通过!token payload携带的自定义内容:用户账号account=" + account);
                return account;
            }
        }  catch (JoseException e) {
            e.printStackTrace();
        }  catch (InvalidJwtException e) {
            e.printStackTrace();
        }catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }

    /**
     * 创建jwk keyId , 公钥 ,秘钥
     */
    public static void createKeyPair(){
        String keyId = UUID.randomUUID().toString().replaceAll("-", "");
        RsaJsonWebKey jwk = null;
        try {
            jwk = RsaJwkGenerator.generateJwk(2048);
        } catch (JoseException e) {
            e.printStackTrace();
        }
        jwk.setKeyId(keyId);
        jwk.setAlgorithm(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);
        String publicKey = jwk.toJson(RsaJsonWebKey.OutputControlLevel.PUBLIC_ONLY);
        String privateKey = jwk.toJson(RsaJsonWebKey.OutputControlLevel.INCLUDE_PRIVATE);

        System.out.println("keyId="+keyId);
        System.out.println();
        System.out.println("公钥 publicKeyStr="+publicKey);
        System.out.println();
        System.out.println("私钥 privateKeyStr="+privateKey);
    }
    
    public static void main(String[] args){
        //create key pair
        createKeyPair();
    }
}

本地生成keyPair,本地运行AuthorizationService main方法生成keyPair 覆盖代码中的keyId、privateKeyStr和publicKeyStr。 如果不是泄漏了不用更换.
accessToken refreshToken简单使用源码demo,双token刷新及有效时间设置

启动项目

1 先启动本地 redis 服务

2 启动token demo程序

测试

测试工具 Postman

1 注册

Postman 新建访问 http://127.0.0.1:8081/register?account=zhangsan&password=123456
accessToken refreshToken简单使用源码demo,双token刷新及有效时间设置

2 登录

Postman GET方式 访问 http://127.0.0.1:8081/login?account=zhangsan&password=123456
accessToken refreshToken简单使用源码demo,双token刷新及有效时间设置

注意 ,为了快速测试, 我特意将 accessToken 过期时间设置1分钟,refreshToken过期时间3分钟

3 查询用户信息 (用accessToken)

Postman GET方式 访问 http://127.0.0.1:8081/user/{accessToken}

  • 登录后1分钟内 查询user信息
    accessToken refreshToken简单使用源码demo,双token刷新及有效时间设置

  • 登录后1分钟40秒 查询user信息 (1分30内 accessToken都是有效的,原因解析token设置了 setAllowedClockSkewInSeconds(30),token过期了还能延长30秒有效 )
    accessToken refreshToken简单使用源码demo,双token刷新及有效时间设置

返回提示 accessToken过期

4 刷新accessToken (用refreshToken)

Postman GET方式 访问 http://127.0.0.1:8081/accessToken/refresh/{refreshToken}

  • 登录后 2分钟之前 刷新accessToken
    只有 accessToken 会被刷新,refreshToken虽然我返回了 但是值还是登录返回的refreshToken值 ,如下:
    accessToken refreshToken简单使用源码demo,双token刷新及有效时间设置

  • 登录后 2分钟 到 3分钟 内 刷新accessToken
    accessToken 和 refreshToken 都会被刷新,如下:
    accessToken refreshToken简单使用源码demo,双token刷新及有效时间设置

  • 登录后 3分40秒 刷新accessToken
    报错返回提示 refreshToken 过期,如下:
    accessToken refreshToken简单使用源码demo,双token刷新及有效时间设置

这时客户端 需要跳转到 登录页面重新登录

源码网盘下载

链接:https://pan.baidu.com/s/15oPRcDtjcdXUmDxqji0Jog
提取码:gx9p