Spring Cloud Feign 使用OAuth2

Spring Cloud 微服务架构下，服务间的调用采用的是Feign组件，为了增加服务安全性，server之间互相调用采用OAuth2的client模式。Feign使用http进行服务间的通信，同时整合了Ribbion

使得其具有负载均衡和失败重试的功能，微服务service-a调用service-b的流程 中大概流程 ：

Feign调用间采用OAuth2验证的配置：

（1）采用SpringBoot自动加载机制 定义注解继承@EnableOAuth2Client

@Import({OAuth2FeignConfigure.class})
@EnableOAuth2Client
@Documented
@Retention(RetentionPolicy.RUNTIME)
@Target({ElementType.TYPE})
public @interface EnableFeignOAuth2Client {

}

（2）定义配置类OAuth2FeignConfigure

 public class OAuth2FeignConfigure {
     // feign的OAuth2ClientContext
     private OAuth2ClientContext feignOAuth2ClientContext =  new DefaultOAuth2ClientContext();

     @Resource
     private ClientCredentialsResourceDetails clientCredentialsResourceDetails;

     @Autowired
     private ObjectFactory<HttpMessageConverters> messageConverters;

     @Bean
     public OAuth2RestTemplate clientCredentialsRestTemplate(){
         return new OAuth2RestTemplate(clientCredentialsResourceDetails);
     }

     @Bean
     public RequestInterceptor oauth2FeignRequestInterceptor(){
         return new OAuth2FeignRequestInterceptor(feignOAuth2ClientContext, clientCredentialsResourceDetails);
     }

     @Bean
     public Logger.Level feignLoggerLevel() {
         return Logger.Level.FULL;
     }

     @Bean
     public Retryer retry() {
         // default Retryer will retry 5 times waiting waiting
         // 100 ms per retry with a 1.5* back off multiplier
         return new Retryer.Default(100, SECONDS.toMillis(1), 3);
     }

     @Bean
     public Decoder feignDecoder() {
         return new CustomResponseEntityDecoder(new SpringDecoder(this.messageConverters), feignOAuth2ClientContext);
     }

     /**
      *  Http响应成功 但是token失效，需要定制 ResponseEntityDecoder
      * @author maxianming
      * @date 2018/10/30 9:47
      */
     class CustomResponseEntityDecoder implements Decoder {
         private org.slf4j.Logger log = LoggerFactory.getLogger(CustomResponseEntityDecoder.class);

         private Decoder decoder;

         private OAuth2ClientContext context;

         public CustomResponseEntityDecoder(Decoder decoder, OAuth2ClientContext context) {
             this.decoder = decoder;
             this.context = context;
         }

         @Override
         public Object decode(final Response response, Type type) throws IOException, FeignException {
             if (log.isDebugEnabled()) {
                 log.debug("feign decode type:{}，reponse:{}", type, response.body());
             }
             if (isParameterizeHttpEntity(type)) {
                 type = ((ParameterizedType) type).getActualTypeArguments()[0];
                 Object decodedObject = decoder.decode(response, type);
                 return createResponse(decodedObject, response);
             }
             else if (isHttpEntity(type)) {
                 return createResponse(null, response);
             }
             else {
                 // custom ResponseEntityDecoder if token is valid then go to errorDecoder
                 String body = Util.toString(response.body().asReader());
                 if (body.contains(ServerConstant.INVALID_TOKEN.getCode())) {
                     clearTokenAndRetry(response, body);
                 }
                 return decoder.decode(response, type);
             }
         }

         /**
          * token失效 则将token设置为null 然后重试
          * @author maxianming
          * @param
          * @return
          * @date 2018/10/30 10:05
          */
         private void clearTokenAndRetry(Response response, String body) throws FeignException {
             log.error("接收到Feign请求资源响应,响应内容:{}",body);
             context.setAccessToken(null);
             throw new RetryableException("access_token过期，即将进行重试", new Date());
         }

         private boolean isParameterizeHttpEntity(Type type) {
             if (type instanceof ParameterizedType) {
                 return isHttpEntity(((ParameterizedType) type).getRawType());
             }
             return false;
         }

         private boolean isHttpEntity(Type type) {
             if (type instanceof Class) {
                 Class c = (Class) type;
                 return HttpEntity.class.isAssignableFrom(c);
             }
             return false;
         }

         @SuppressWarnings("unchecked")
         private <T> ResponseEntity<T> createResponse(Object instance, Response response) {

             MultiValueMap<String, String> headers = new LinkedMultiValueMap<>();
             for (String key : response.headers().keySet()) {
                 headers.put(key, new LinkedList<>(response.headers().get(key)));
             }
             return new ResponseEntity<>((T) instance, headers, org.springframework.http.HttpStatus.valueOf(response
                     .status()));
         }
     }

     @Bean
     public ErrorDecoder errorDecoder() {
         return new RestClientErrorDecoder(feignOAuth2ClientContext);
     }

     /**
      *  Feign调用HTTP返回响应码错误时候，定制错误的解码
      * @author maxianming
      * @date 2018/10/30 9:45
      */
     class RestClientErrorDecoder implements ErrorDecoder {
         private org.slf4j.Logger logger = LoggerFactory.getLogger(RestClientErrorDecoder.class);

         private OAuth2ClientContext context;

         RestClientErrorDecoder(OAuth2ClientContext context) {
             this.context = context;
         }

         public Exception decode(String methodKey, Response response) {
             logger.error("Feign调用异常，异常methodKey:{}, token:{}, response:{}", methodKey, context.getAccessToken(), response.body());
             if (HttpStatus.SC_UNAUTHORIZED == response.status()) {
                 logger.error("接收到Feign请求资源响应401，access_token已经过期，重置access_token为null待重新获取。");
                 context.setAccessToken(null);
                 return new RetryableException("疑似access_token过期，即将进行重试", new Date());
             }
             return errorStatus(methodKey, response);
         }
     }

 }

1、使用ClientCredentialsResourceDetails （即client_id、 client-secret、user-info-uri等信息配置在配置中心）初始化OAuth2RestTemplate，用户请求创建token时候验证基本信息

2、主要定义了拦截器初始化了OAuth2FeignRequestInterceptor ，使得Feign进行RestTemplate调用的请求前进行token拦截。 如果不存在token则需要auth-server中获取token

3、注意上下文对象OAuth2ClientContext建立后不放在Bean容器中，主要放在Bean容器，Spring mvc的前置处理器, 会复制token到OAuth2ClientContext中， 导致用户的token会覆盖服务间的token当不同         token间的权限不同时，验证会不通过。

4、重新定义了 Decoder 即，RestTemple http调用的响应进行解码， 由于token失效时进行了扩展，

默认情况下：token失效会返回401错误的http响应，导致进入ErrorDecoder流程，在ErrorDecoder中如果token过期，则进行除掉token，Feign重试。

  扩展后：返回的是token失效的错误码，所以会走Decoder流程，所以对ResponseEntityDecoder进行了扩展，如果无效token错误码，则清空token并重试。