增加登陆页面html文件，增加oidc登陆接口，通过请求接口获取登陆界面，oidc接口输入参数并重定向到前端返回的uri地址

conf/nginx.conf

@@ -53,9 +53,21 @@ http {
         set $APP_PATH '/home/frankly/work/AuthPlatform';
 
         # 全局 CORS 配置 访问时允许跨域处理
-        add_header Access-Control-Allow-Origin *;
+        # 允许所有域跨域访问（不推荐，出于安全考虑应指定具体域名）
-        add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
+        add_header 'Access-Control-Allow-Origin' '*';
-        add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
+        # 允许特定域跨域访问（推荐）
+        #add_header 'Access-Control-Allow-Origin' 'https://xxx.com';
+        # 允许的HTTP方法
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
+        # 允许的自定义请求头
+        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,Authorization,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Laction';
+        # 允许的暴露请求头
+        add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,Authorization,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Location';
+        # 允许携带Cookie
+        add_header 'Access-Control-Allow-Credentials' 'true';
+        # 预检请求的有效期（可选）
+        add_header 'Access-Control-Max-Age' 1728000;
+        # 如果请求方法是OPTIONS，则直接返回204状态码，不执行后续操作
         if ($request_method = 'OPTIONS') {
             return 204;
         }

src/api/oauth/oauth.lua

@@ -13,6 +13,12 @@ local routes = {
     --------------------------------------------
     ------------ OIDC OAuth2.0认证相关路由配置 ---
     --------------------------------------------
+    --登陆界面
+    {
+        paths = { "/yum/v1/oauth/v2/login" },
+        methods = { "GET" },
+        handler = oauthService.login,
+    },
     --获取授权码
     {
         paths = { "/yum/v1/oauth/v2/authorize" },

src/service/oauth/oauth.lua

@@ -26,18 +26,41 @@ local function getUriArgs()
         ngx.req.read_body()
         -- 获取请求数据
         local body_data = ngx.req.get_body_data()
-        -- 验证json数据是否正确
+        print("body_data:", body_data)
-        local ok, data = pcall(cjson.decode, body_data)
+        local content_type = ngx.req.get_headers()["Content-Type"]
-        if not ok then
+        if content_type == "application/x-www-form-urlencoded" then
-            return ngx.exit(ngx.HTTP_BAD_REQUEST)
+            body_data, err = ngx.req.get_post_args()
+            if not body_data then
+                ngx.status = 500
+                ngx.say("获取表单数据失败: ", err)
+                ngx.exit(ngx.HTTP_BAD_REQUEST)
+            end
+            args = body_data
+        else
+            -- 验证json数据是否正确
+            local ok, data = pcall(cjson.decode, body_data)
+            if not ok then
+                print("json err:", ok)
+                return ngx.exit(ngx.HTTP_BAD_REQUEST)
+            end
+            args = data
         end
-        args = data
     elseif ngx.req.get_method() == "GET" then
         args = ngx.req.get_uri_args()
     end
     return args
 end
 
+function _M:login()
+    --读取oauth login界面文件
+    local current_dir = ngx.var.APP_PATH
+    local html = current_dir.."/oauth.html"
+    local file = io.open(html, "r")
+    local content = file:read("*a")
+    file:close()
+    ngx.say(content)
+end
+
 --获取授权码
 function _M:authorize()
     local args = getUriArgs()
@@ -72,10 +95,7 @@ function _M:authorize()
     local user, err = client.validate(client_id, redirect_uri)
     if user == nil then
         -- 重定向到登录页，携带当前授权请求参数（登录后跳转回来）
-        --local login_url = "/login?redirect=" .. ngx.escape_uri(ngx.var.request_uri)
+        self:login()
-        --print("authorize login_url:", login_url)
-        --ngx.redirect(login_url)
-        resp:response(status.USER_NOT_LOGIN)
         return
     end
     -- 4. 生成授权码（随机字符串，确保唯一性）（用户ID、客户端ID、scope、生成时间）
@@ -128,12 +148,22 @@ local function authorizatePassword(args)
     end
     -- 5.存储用户信息，证明用户已经登陆
     client.create(userid, client_id, uri_callback)
-    -- 6.返回结果
+    -- 6.Callback 端点用表单 POST 重定向（避免 URL 参数过长）
-    local rest = {}
+    ngx.status = 302  -- 302 保留请求方法
-    rest.redirect_uri = redirect_uri
+    ngx.header["Location"] = redirect_uri.."?code="..auth_code
-    rest.code = auth_code
+    ngx.exit(ngx.HTTP_OK)
-    resp:response(status.MOVED_TEMPORARILY, rest)
+
-    --resp:response(status.MOVED_TEMPORARILY, rest)
+    -- 目标地址：绝对 URL（替换为你的实际地址）
+    --local target_url = redirect_uri.."?code="..auth_code --("特殊字符/中文")
+    --ngx.redirect(target_url, 302)
+    -- 设置 302 跳转
+    --ngx.status = 302
+    --ngx.header["Location"] = target_url
+    ---- 禁用缓存，避免浏览器缓存跳转
+    --ngx.header["Cache-Control"] = "no-store, no-cache, must-revalidate"
+    --ngx.header["Pragma"] = "no-cache"
+    ---- 终止请求，确保响应不被覆盖
+    --ngx.exit(ngx.HTTP_OK)
 end
 
 -- 通过code形式进行认证
@@ -196,7 +226,18 @@ local function authorizateCode(args)
     end
     -- 7.返回结果
     ret.redirect_uri = redirect_uri
+    -- 4.返回结果
     resp:response(status.SUCCESS, ret)
+    do return end
+
+    --ngx.header["Location"] = redirect_uri;
+    --ngx.status = ngx.HTTP_MOVED_TEMPORARILY;  -- 设置状态码为302
+    --ngx.say("response body for 302 redirect.");  -- 发送自定义消息体
+    ----resp:response(status.MOVED_TEMPORARILY, ret)
+    --ngx.exec(redirect_uri, { ret = ret })
+    ngx.status = 302  -- 302 保留请求方法
+    ngx.header["Location"] = redirect_uri
+    ngx.exit(ngx.HTTP_OK)
 end
 
 -- 刷新令牌
@@ -242,7 +283,10 @@ function _M:token()
         ngx.exit(ngx.HTTP_BAD_REQUEST)
     end
     local grant_type = args.grant_type
-    --print("grant_type类型: ", grant_type)
+    local client_id = args.client_id
+    local client_secret = args.client_secret
+    local redirect_uri = args.redirect_uri
+    print("grant_type类型: ", grant_type, " client_id:", client_id, " client_secret:", client_secret, " redirect_uri:", redirect_uri)
     if grant_type == "password" then
         authorizatePassword(args)
     elseif grant_type == "authorization_code" then

src/util/status.lua

@@ -22,7 +22,7 @@ local _M = {
     -- 成功状态码
     SUCCESS = { code = 200, message = "操作成功" },
 
-    MOVED_TEMPORARILY = { code = 304, message = "跳转URI" },
+    MOVED_TEMPORARILY = { code = 302, message = "跳转URI" },
     --[[
     HTTP_SPECIAL_RESPONSE(300, "操作成功"),
     HTTP_MOVED_PERMANENTLY(301, "操作成功"),

src/validator/oauth/oauth.lua

@@ -55,8 +55,9 @@ local schemaUserPasswd = {
         client_secret = { type = "string" },
         username = { type = "string" },
         password = { type = "string" },
+        redirect_uri = { type = "string" },
     },
-    required = { "grant_type", "client_id", "client_secret", "username", "password" }
+    required = { "grant_type", "client_id", "client_secret", "username", "password", "redirect_uri" }
 }
 
 --通过用户名和密码进行认证