增加openidc登录后的用户信息，调用openidc接口时对用户进行认证业务逻辑

2025-11-14 16:08:15 +08:00 · 2025-11-14 16:08:15 +08:00 · de9034fbc6
commit de9034fbc6
parent b286ecf891
2 changed files with 76 additions and 20 deletions
--- a/src/service/oauth/oauth.lua
+++ b/src/service/oauth/oauth.lua
@ -11,6 +11,7 @@ local jwt = require "resty.jwt"
 local rsa = require("util.rsa")
 local authcode = require("util.authcode")
 local token = require("util.token")
+local client = require("util.client")

 local _M = {}

@ -39,7 +40,9 @@ function _M:authorize()
        return ngx.exit(ngx.HTTP_BAD_REQUEST)
    end
    -- 1、校验客户端id和redirect_uri是否存在数据库
-    local code, res = oauthDao.getApplicationBy(args.client_id, args.redirect_uri)
+    local client_id = args.client_id
+    local redirect_uri = args.redirect_uri
+    local code, res = oauthDao.getApplicationBy(client_id, redirect_uri)
    if code ~= 0 or not res then
        return ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
@ -52,8 +55,8 @@ function _M:authorize()
        -- 验证范围是否允许 todo
    end
    -- 3、判断用户登录检查 用户已登录，直接展示授权确认页；未登录则重定向到登录页
-    local user_logged_in = true
-    if not user_logged_in then
+    local user, err = client.validate(client_id, redirect_uri)
+    if user == nil then
        -- 重定向到登录页，携带当前授权请求参数（登录后跳转回来）
        local login_url = "/login?redirect=" .. ngx.escape_uri(ngx.var.request_uri)
        --print("authorize login_url:", login_url)
@ -63,7 +66,7 @@ function _M:authorize()
        return
    end
    -- 4. 生成授权码（随机字符串，确保唯一性）（用户ID、客户端ID、scope、生成时间）
-    local auth_code, err = authcode.create("123456", args.client_id, args.redirect_uri, args.scope)
+    local auth_code, err = authcode.create(user.userid, client_id, redirect_uri, args.scope)
    if not auth_code then
        ngx.log(ngx.ERR, "生成授权码失败: ", err)
        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
@ -72,7 +75,7 @@ function _M:authorize()
    -- 5. 重定向到客户端回调地址，携带授权码和原始 state（防 CSRF）
    local redirect_url = args.redirect_uri .. "?code=" .. code .. "&state=" .. args.state
    local rest = {}
-    rest.redirect_uri = args.redirect_uri
+    rest.redirect_uri = redirect_uri
    rest.code = auth_code
    rest.state = args.state
    local result = resp:json(ngx.HTTP_OK, rest)
@ -113,7 +116,7 @@ local function authorizatePassword(args)
        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
    end
    -- 5.存储用户信息，证明用户已经登陆
-    
+    client.create(userid, client_id, redirect_uri)
    -- 6.返回结果
    local rest = {}
    rest.redirect_uri = redirect_uri
@ -237,15 +240,15 @@ function _M:userinfo()
    -- 3.获取token的数据值
    local token = string.sub(auth_header,8)
    --校验令牌
-    local pub_key, priv_key, err = rsa.generate_rsa_keys(2048)
-    if err then
-        --print("密钥生成失败: ", err)
-        local result = resp:json(0x00001)
-        resp:send(result)
-        return
-    end
+    --local pub_key, priv_key, err = rsa.generate_rsa_keys(2048)
+    --if err then
+    --    --print("密钥生成失败: ", err)
+    --    local result = resp:json(0x00001)
+    --    resp:send(result)
+    --    return
+    --end
    -- 4.对token进行验证
-    print("userinfo pubkey:", pub_key)
+    --print("userinfo pubkey:", pub_key)
    local jwt_obj = jwt:verify(pub_key, token)
    --如果校验结果中的verified==false，则表示令牌无效
    if jwt_obj.verified == false then
@ -260,14 +263,23 @@ function _M:userinfo()
        ngx.status = ngx.HTTP_UNAUTHORIZED
        ngx.exit(ngx.HTTP_UNAUTHORIZED)
    end
+    --通过用户id获取用户信息
+    local user_id = jwt_obj.payload.sub
+    local code, rest = oauthDao.getUser(user_id)
+    --读取数据错误
+    if code ~= 0 or table.getn(ret) < 0 then
+        local result = resp:json(0x000001)
+        resp:send(result)
+        return
+    end
    -- 5.获取token中的信息进行所需用户的信息返回
    local ret = {}
-    ret.sub = 248289761001
-    ret.name = "Jane Doe"
-    ret.given_name = "Jane"
-    ret.family_name = "Doe"
-    ret.preferred_username = "j.doe"
-    ret.email = "janedoe@example.com"
+    ret.sub = user_id
+    ret.name = rest[1].username
+    ret.phone = rest[1].phone
+    ret.real_name = rest[1].realname
+    ret.office_phone = rest[1].office_phone
+    ret.email = rest[1].email
    local result = resp:json(ngx.HTTP_OK, ret)
    resp:send(result)
 end
--- a/src/util/client.lua
+++ b/src/util/client.lua
@ -0,0 +1,44 @@
+---
+--- Generated by EmmyLua(https://github.com/EmmyLua)
+--- Created by admin.
+--- DateTime: 2025/11/14 13:46
+--- OpenIDC协议中OAutho2.0判断第三方用户是否登录系统
+
+local red =  require("share.redis")
+local cjson = require("cjson.safe")
+
+local _M = {}
+
+-- 客户端登录进行存储
+function _M:create(userid, client_id, redirect_uris)
+    local client_str = {}
+    client_str.userid = userid
+    client_str.client_id = client_id
+    client_str.redirect_uris = redirect_uris
+    red:set("oidc:client:"..client_id, client_str)
+end
+
+-- 验证客户端是否存在
+function _M.validate(client_id, redirect_uri)
+    -- 从 Redis 获取客户端信息（假设存储在 key: oidc:client:{client_id}）
+    local client_str, err = red:get("oidc:client:"..client_id)
+    if not client_str or client_str == ngx.nul6l then
+        return nil, "客户端不存在"
+    end
+
+    local client = cjson.decode(client_str)
+    -- 验证 redirect_uri 是否在客户端注册的范围内
+    local valid_redirect = false
+    for _, uri in ipairs(client.redirect_uris) do
+        if uri == redirect_uri then
+            valid_redirect = true
+            break
+        end
+    end
+    if not valid_redirect then
+        return nil, "无效的 redirect_uri"
+    end
+    return client
+end
+
+return _M