From 955f1c59a233cc28c648d1ebed87d9b42ea67cf2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=99=E5=B0=8F=E4=BA=91?= <sunpengchina85@gmail.com>
Date: Fri, 18 Jul 2025 17:08:09 +0800
Subject: [PATCH] s

---
 gateway/.idea/workspace.xml                   |   7 +-
 .../gateway/config/SecurityConfig.java        |   4 +-
 .../src/main/resources/application.properties |  17 +-
 gateway/target/classes/application.properties |  14 -
 .../tuoheng/gateway/GatewayApplication.class  | Bin 748 -> 0 bytes
 .../gateway/config/SecurityConfig.class       | Bin 3507 -> 0 bytes
 nginx/nginx.conf                              | 147 ++++++---
 .../oauth/oidc/config/SecurityConfig.java     |  18 +-
 resourceserviceb/.idea/.gitignore             |   8 +
 resourceserviceb/.idea/compiler.xml           |  18 ++
 resourceserviceb/.idea/encodings.xml          |   6 +
 resourceserviceb/.idea/jarRepositories.xml    |  30 ++
 resourceserviceb/.idea/misc.xml               |  12 +
 resourceserviceb/.idea/vcs.xml                |   6 +
 resourceserviceb/pom.xml                      |  38 +++
 .../resourceservice/HelloController.java      |  18 ++
 .../ResourceServiceApplication.java           |  11 +
 .../src/main/resources/application.properties |   1 +
 resourceservicehtmlb/callback.html            | 204 ++++++++++++
 resourceservicehtmlb/index.html               | 294 ++++++++++++++++++
 20 files changed, 790 insertions(+), 63 deletions(-)
 delete mode 100644 gateway/target/classes/application.properties
 delete mode 100644 gateway/target/classes/com/tuoheng/gateway/GatewayApplication.class
 delete mode 100644 gateway/target/classes/com/tuoheng/gateway/config/SecurityConfig.class
 create mode 100644 resourceserviceb/.idea/.gitignore
 create mode 100644 resourceserviceb/.idea/compiler.xml
 create mode 100644 resourceserviceb/.idea/encodings.xml
 create mode 100644 resourceserviceb/.idea/jarRepositories.xml
 create mode 100644 resourceserviceb/.idea/misc.xml
 create mode 100644 resourceserviceb/.idea/vcs.xml
 create mode 100644 resourceserviceb/pom.xml
 create mode 100644 resourceserviceb/src/main/java/com/tuoheng/resourceservice/HelloController.java
 create mode 100644 resourceserviceb/src/main/java/com/tuoheng/resourceservice/ResourceServiceApplication.java
 create mode 100644 resourceserviceb/src/main/resources/application.properties
 create mode 100644 resourceservicehtmlb/callback.html
 create mode 100644 resourceservicehtmlb/index.html

diff --git a/gateway/.idea/workspace.xml b/gateway/.idea/workspace.xml
index 0c4a32d..267654b 100644
--- a/gateway/.idea/workspace.xml
+++ b/gateway/.idea/workspace.xml
@@ -9,8 +9,9 @@
       <change beforePath="$PROJECT_DIR$/../oidc/pom.xml" beforeDir="false" afterPath="$PROJECT_DIR$/../oidc/pom.xml" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/../oidc/src/main/java/com/tuoheng/oauth/oidc/config/SecurityConfig.java" beforeDir="false" afterPath="$PROJECT_DIR$/../oidc/src/main/java/com/tuoheng/oauth/oidc/config/SecurityConfig.java" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/../oidc/src/main/resources/application.properties" beforeDir="false" afterPath="$PROJECT_DIR$/../oidc/src/main/resources/application.properties" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/../resourceservice/target/classes/com/tuoheng/resourceservice/HelloController.class" beforeDir="false" afterPath="$PROJECT_DIR$/../resourceservice/target/classes/com/tuoheng/resourceservice/HelloController.class" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/../resourceservice/target/classes/com/tuoheng/resourceservice/ResourceServiceApplication.class" beforeDir="false" afterPath="$PROJECT_DIR$/../resourceservice/target/classes/com/tuoheng/resourceservice/ResourceServiceApplication.class" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/../resourceservice/target/classes/application.properties" beforeDir="false" />
+      <change beforePath="$PROJECT_DIR$/../resourceservice/target/classes/com/tuoheng/resourceservice/HelloController.class" beforeDir="false" />
+      <change beforePath="$PROJECT_DIR$/../resourceservice/target/classes/com/tuoheng/resourceservice/ResourceServiceApplication.class" beforeDir="false" />
       <change beforePath="$PROJECT_DIR$/../resourceservicehtml/callback.html" beforeDir="false" afterPath="$PROJECT_DIR$/../resourceservicehtml/callback.html" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/../resourceservicehtml/index.html" beforeDir="false" afterPath="$PROJECT_DIR$/../resourceservicehtml/index.html" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/../resourceservicehtml/test.html" beforeDir="false" afterPath="$PROJECT_DIR$/../resourceservicehtml/test.html" afterDir="false" />
@@ -115,7 +116,7 @@
       <workItem from="1752741336600" duration="2274000" />
       <workItem from="1752745264222" duration="2832000" />
       <workItem from="1752751160098" duration="1320000" />
-      <workItem from="1752798688493" duration="8093000" />
+      <workItem from="1752798688493" duration="8426000" />
     </task>
     <servers />
   </component>
diff --git a/gateway/src/main/java/com/tuoheng/gateway/config/SecurityConfig.java b/gateway/src/main/java/com/tuoheng/gateway/config/SecurityConfig.java
index 8dc168f..b65652c 100644
--- a/gateway/src/main/java/com/tuoheng/gateway/config/SecurityConfig.java
+++ b/gateway/src/main/java/com/tuoheng/gateway/config/SecurityConfig.java
@@ -12,8 +12,8 @@ public class SecurityConfig {
     public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
         http
             .authorizeExchange(exchanges -> exchanges
-                .pathMatchers("/test/**").permitAll()  // 测试路径不需要认证
-                .pathMatchers("/api/**").authenticated()
+                .pathMatchers("/a/**").authenticated()
+                .pathMatchers("/b/**").authenticated()
                 .anyExchange().permitAll()
             )
             .oauth2ResourceServer(oauth2 -> oauth2.jwt());
diff --git a/gateway/src/main/resources/application.properties b/gateway/src/main/resources/application.properties
index 62cdc6a..83f1639 100644
--- a/gateway/src/main/resources/application.properties
+++ b/gateway/src/main/resources/application.properties
@@ -1,14 +1,15 @@
 server.port=8080
 
-spring.cloud.gateway.routes[0].id=resource-server
+spring.cloud.gateway.routes[0].id=resource-server-a
 spring.cloud.gateway.routes[0].uri=http://localhost:8081
-spring.cloud.gateway.routes[0].predicates[0]=Path=/api/**
-spring.cloud.gateway.routes[0].filters[0]=TokenRelay
+spring.cloud.gateway.routes[0].predicates[0]=Path=/a/**
+spring.cloud.gateway.routes[0].filters[0]=RewritePath=/a/(?<segment>.*), /api/${segment}
+spring.cloud.gateway.routes[0].filters[1]=TokenRelay
 
-# 添加一个不需要认证的测试路由
-spring.cloud.gateway.routes[1].id=test-route
-spring.cloud.gateway.routes[1].uri=http://localhost:8081
-spring.cloud.gateway.routes[1].predicates[0]=Path=/test/**
-spring.cloud.gateway.routes[1].filters[0]=RewritePath=/test/(?<segment>.*), /api/$\{segment}
+spring.cloud.gateway.routes[1].id=resource-server-b
+spring.cloud.gateway.routes[1].uri=http://localhost:8082
+spring.cloud.gateway.routes[1].predicates[0]=Path=/b/**
+spring.cloud.gateway.routes[1].filters[0]=RewritePath=/b/(?<segment>.*), /api/${segment}
+spring.cloud.gateway.routes[1].filters[1]=TokenRelay
 
 spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:9000/oauth2/jwks
\ No newline at end of file
diff --git a/gateway/target/classes/application.properties b/gateway/target/classes/application.properties
deleted file mode 100644
index 62cdc6a..0000000
--- a/gateway/target/classes/application.properties
+++ /dev/null
@@ -1,14 +0,0 @@
-server.port=8080
-
-spring.cloud.gateway.routes[0].id=resource-server
-spring.cloud.gateway.routes[0].uri=http://localhost:8081
-spring.cloud.gateway.routes[0].predicates[0]=Path=/api/**
-spring.cloud.gateway.routes[0].filters[0]=TokenRelay
-
-# 添加一个不需要认证的测试路由
-spring.cloud.gateway.routes[1].id=test-route
-spring.cloud.gateway.routes[1].uri=http://localhost:8081
-spring.cloud.gateway.routes[1].predicates[0]=Path=/test/**
-spring.cloud.gateway.routes[1].filters[0]=RewritePath=/test/(?<segment>.*), /api/$\{segment}
-
-spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://localhost:9000/oauth2/jwks
\ No newline at end of file
diff --git a/gateway/target/classes/com/tuoheng/gateway/GatewayApplication.class b/gateway/target/classes/com/tuoheng/gateway/GatewayApplication.class
deleted file mode 100644
index 7bac476c0d3c3cae2795a8165a849bd3dbe1731f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 748
zcma)4OHbQC5dJnKIE3&D<qZceDCEH2=phKHjYKczA%enz)7mV~g1sB9*QNbgoLcqJ
zAJ89Fb=DvyQggtPXEd*GX1|#~e}DZ3@DY0rR4@~u+C&Yr49kz=tKg~73BQaUW$YMc
zPn1^flwqcQI0#T@IEYQgU15fj(h}k1v-r-xyy{P*QL19$l+g_|Fdv}V!~zx>I>shE
zA6cc72P-o9Z0r+{jB&hQIwvZrmn}3y)DFk<^iq-M-Ma}--+8d^VK@yrHrmN=j`xgy
zP)T7$l*)+~<o4k%L$zn_CBssvw7e*?NZK2p%g_o<EYg9n%G+<wsvD}Dp&h=D1CO5x
zMQ>SePaAzeabXieT%8i8eVj`-H1}7+Gv=hF#75r~HkN0~&$#hF?MI$6hOO&DJC(_S
z%9Ve**2a}<A&AqdjFr0(g)>B5Ntt}x%x7BC1a)2PBcQYKUj@t`4#_35IB7<@*7*VU
zQihjF`Y@<ug=F(J0WGYOHHQyaBM@JFT!I1hR?zv0x!ZBQzfqqX&_Rtc>R87H`8VmW
S5x=A=*ec~Vc1ZiSyTCukZNqE;

diff --git a/gateway/target/classes/com/tuoheng/gateway/config/SecurityConfig.class b/gateway/target/classes/com/tuoheng/gateway/config/SecurityConfig.class
deleted file mode 100644
index 6a0a8e20f1ebc0cb25301afa6299f8f68d581fc4..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3507
zcmcInYjYD-7=BJ~DPf@@g>n%^Fi4Y97EnPAqHW|JE)s0yB6zYnO}5?aW_C9%^}GK^
zztkCKbo}i2n;f5$-OvQm5Qj3E-LvQNzVGwiPyYV*#h(B!qM5`9MiUq_Fpdd<)QVh_
zrX$^&dAG8ntWaR$lI_~zWr5Mz>{6OklLmGnDX`0G1)<lle^vtLXR}4mubDy9x82&Z
zFB@vz^H<G4SuNiVH%!ZOm+hKa=#cpNBn<3HV6TBGqy!d*AzxP&vh>%KZ<gA_^)PIf
zVi^MaWGk$DJ`r7cZq=y-k+o+3FR<Y>83-kxhQOrOaN59rt=@i5V>^Fe1zyXyRD@n1
zm@#k=hXlqeE!(LIEWXK-J%S_amR04d?S#rN)TQmxvPbY<0!IzJj}HVMy|raCcNbm<
zUur6gL9w#V7+HQ3=-B-|*tHwG{kN@@%+2*sOUozlVNZybLLF_BI6-5Zp$bAXmrEjp
zlL>rm;1p&B%5Sf{*1adFBF&Aa4C}XLXw{V;2%MUIT--{Y2w6VcwG`zOb;t=keMhJ=
z3znsVAc-ta8<@u#W@%IT4Le+L9D&C>;-<d#$WP*|K*E$wyX}N5&Kvkd1K6VjU%8=e
z$xv0bdp<L80T%^!OLt={Q7i8bTx=HF{tJPu<u%N(<q=cOtP#_?d|944rKHfVRsv%M
zugV%SRkU4or`4z^|ADMHTuB!_OFB!^xAi<;91H6<BVn#Mw1m9COs7QlCb7UT!xgT9
zDa8OB7->DkeQODAP-l%5C=BK_OoCI})NRFNs@{{jL$F}cT!-(s7#t0?WCu2Fx!}59
zC_~$Gxi{ZeC}oA}d1%U)N6kegU9vys$VR0qGyQFvIVbRJ2duhnp~`2M*e|0>FYu%<
z_ztvAN9=LI&?WKBx-uJ|?1ZlUvt28?OT|r=j(WHQy7reOkSw)ZCOaGxZ@M={&*+jX
zaG|gGK5-HycFS)E7>!u!OZcjfx&lqR%U9A0?KNdyadq~W*?pbX^A0c_<%^yd2B9yT
zQMd<F6L^rs_gG4xY~Tkx6gaWfENpkpTUBPU9lNBE%jEC*8?2B_lC9Z4vt8{ZCW-`H
zmu}TjL8j<=tF30f>sZ`~x>kA!A8a&L_wnI3Bawq?yW3yPxgZ^<WQQuB!efC0-5SLW
zGP^`;{g}k(cxvD#Zl!RG3sNss3|z&v6s`#vH(ZzZ9Y+R%V*DN2?uL>;O`tNc2o6)a
zwoUoY-Gsd_zNJvBzLCtz5OwDS*osfS=Kg-3Ou!ZRVDM4$jogmoG|>nz=)f4SpS;iW
z{Uv86N5OGC_dCRI{1`!=Z@mp9afxpuI)JZmnKOZ}@eM}X#ATk=Ob^bzKmypr?ibjn
z$8>pa69<0fR>Uq%slXnx-OJxJ(!BU;)-w@#%$kg_fJKTZaBrOVeh%OA(P*v!sibx>
zzcui)95u#?+$Ii}UqwFMg?s|naidMmh>59dG=Zj`&yD?oV-H8u$4i^|=r3e9F&D3x
zFIUcO;#01737H`|InqE=ILh%P)jrK}%Uts);x^BW;SS#;xZ74l|D(Fc`FDKo^U?a3
rXv{}=f@ks9Pq0wsUXC)3(D;f#m-$uanBm;!nB~_BWv-$D4~PE)H`GOp

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 1c4d050..d85cab9 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -17,6 +17,11 @@ events {
 
 # HTTP模块配置
 http {
+    map $http_origin $cors_origin {
+        default "";
+        "https://a.local.com" "https://a.local.com";
+        "https://b.local.com" "https://b.local.com";
+    }
     # MIME类型
     include /opt/homebrew/etc/nginx/mime.types;
     default_type application/octet-stream;
@@ -51,7 +56,7 @@ http {
     # 前端应用服务器 (a.local.com) - HTTPS
     server {
         listen 443 ssl;
-        server_name a.local.com;
+        server_name b.local.com;
 
         # SSL配置
         ssl_certificate /Users/sunpeng/workspace/remote/oauth2/ssl/certificate.crt;
@@ -61,14 +66,14 @@ http {
         ssl_prefer_server_ciphers off;
 
         # 静态文件目录
-        root /Users/sunpeng/workspace/remote/oauth2/resourceservicehtml;
+        root /Users/sunpeng/workspace/remote/oauth2/resourceservicehtmlb;
 
         # 首页和静态文件
         location / {
             try_files $uri $uri/ /index.html;
             
             # 添加CORS头
-            add_header Access-Control-Allow-Origin *;
+            add_header Access-Control-Allow-Origin $cors_origin;
             add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
             add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
         }
@@ -86,6 +91,7 @@ http {
 
         # /api 路径转发到网关
         location /api/ {
+            rewrite ^/api/(.*)$ /b/$1 break;
             proxy_pass http://localhost:8080;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -93,40 +99,14 @@ http {
             proxy_set_header X-Forwarded-Proto $scheme;
             
             # 处理CORS
-            add_header Access-Control-Allow-Origin "https://a.local.com" always;
+            add_header Access-Control-Allow-Origin $cors_origin always;
             add_header Access-Control-Allow-Credentials "true" always;
             add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
             add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
             
             # 处理OPTIONS请求
             if ($request_method = 'OPTIONS') {
-                add_header Access-Control-Allow-Origin "https://a.local.com" always;
-                add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
-                add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
-                add_header Access-Control-Max-Age 1728000;
-                add_header Content-Type "text/plain; charset=utf-8";
-                add_header Content-Length 0;
-                return 204;
-            }
-        }
-
-        # /test 路径转发到网关 (测试用)
-        location /test/ {
-            proxy_pass http://localhost:8080;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            
-            # 处理CORS
-            add_header Access-Control-Allow-Origin "https://a.local.com" always;
-            add_header Access-Control-Allow-Credentials "true" always;
-            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
-            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
-            
-            # 处理OPTIONS请求
-            if ($request_method = 'OPTIONS') {
-                add_header Access-Control-Allow-Origin "https://a.local.com" always;
+                add_header Access-Control-Allow-Origin $cors_origin always;
                 add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
                 add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
                 add_header Access-Control-Max-Age 1728000;
@@ -149,14 +129,111 @@ http {
             access_log /tmp/nginx_oidc_logout.log main_cookie;
 
             # 处理CORS
-            add_header Access-Control-Allow-Origin "https://a.local.com" always;
+            add_header Access-Control-Allow-Origin $cors_origin always;
             add_header Access-Control-Allow-Credentials "true" always;
             add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
             add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
 
             # 处理OPTIONS请求
             if ($request_method = 'OPTIONS') {
-                add_header Access-Control-Allow-Origin "https://a.local.com" always;
+                add_header Access-Control-Allow-Origin $cors_origin always;
+                add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+                add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
+                add_header Access-Control-Max-Age 1728000;
+                add_header Content-Type "text/plain; charset=utf-8";
+                add_header Content-Length 0;
+                return 204;
+            }
+        }
+
+        # 错误页面
+        error_page 404 /404.html;
+        error_page 500 502 503 504 /50x.html;
+    }
+
+       server {
+        listen 443 ssl;
+        server_name a.local.com;
+
+        # SSL配置
+        ssl_certificate /Users/sunpeng/workspace/remote/oauth2/ssl/certificate.crt;
+        ssl_certificate_key /Users/sunpeng/workspace/remote/oauth2/ssl/private.key;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384;
+        ssl_prefer_server_ciphers off;
+
+        # 静态文件目录
+        root /Users/sunpeng/workspace/remote/oauth2/resourceservicehtml;
+
+        # 首页和静态文件
+        location / {
+            try_files $uri $uri/ /index.html;
+            
+            # 添加CORS头
+            add_header Access-Control-Allow-Origin $cors_origin;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
+        }
+
+        # 防止前端server拦截OIDC登录页，/login直接返回404
+        location = /login {
+            return 404;
+        }
+
+        # 处理OPTIONS预检请求
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+        }
+
+        # /api 路径转发到网关
+        location /api/ {
+            rewrite ^/api/(.*)$ /a/$1 break;
+            proxy_pass http://localhost:8080;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            # 处理CORS
+            add_header Access-Control-Allow-Origin $cors_origin always;
+            add_header Access-Control-Allow-Credentials "true" always;
+            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
+            
+            # 处理OPTIONS请求
+            if ($request_method = 'OPTIONS') {
+                add_header Access-Control-Allow-Origin $cors_origin always;
+                add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
+                add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
+                add_header Access-Control-Max-Age 1728000;
+                add_header Content-Type "text/plain; charset=utf-8";
+                add_header Content-Length 0;
+                return 204;
+            }
+        }
+
+        # /oidc-logout 路径转发到 OIDC 服务
+        location /oidc-logout {
+            proxy_pass http://localhost:9000/oidc-logout;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Cookie $http_cookie;
+
+            # 记录cookie内容到专用日志
+            access_log /tmp/nginx_oidc_logout.log main_cookie;
+
+            # 处理CORS
+            add_header Access-Control-Allow-Origin $cors_origin always;
+            add_header Access-Control-Allow-Credentials "true" always;
+            add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
+            add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
+
+            # 处理OPTIONS请求
+            if ($request_method = 'OPTIONS') {
+                add_header Access-Control-Allow-Origin $cors_origin always;
                 add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
                 add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
                 add_header Access-Control-Max-Age 1728000;
@@ -194,12 +271,12 @@ http {
             proxy_set_header X-Forwarded-Host $host;
             proxy_set_header X-Forwarded-Ssl on;
             proxy_set_header Cookie $http_cookie;
-            add_header Access-Control-Allow-Origin "https://a.local.com" always;
+            add_header Access-Control-Allow-Origin $cors_origin always;
             add_header Access-Control-Allow-Credentials "true" always;
             add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
             add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
             if ($request_method = 'OPTIONS') {
-                add_header Access-Control-Allow-Origin "https://a.local.com" always;
+                add_header Access-Control-Allow-Origin $cors_origin always;
                 add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS";
                 add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization";
                 add_header Access-Control-Max-Age 1728000;
diff --git a/oidc/src/main/java/com/tuoheng/oauth/oidc/config/SecurityConfig.java b/oidc/src/main/java/com/tuoheng/oauth/oidc/config/SecurityConfig.java
index 3b37e4a..bee28d9 100644
--- a/oidc/src/main/java/com/tuoheng/oauth/oidc/config/SecurityConfig.java
+++ b/oidc/src/main/java/com/tuoheng/oauth/oidc/config/SecurityConfig.java
@@ -130,8 +130,24 @@ public class SecurityConfig {
                         .build())
                 .build();
 
+        // b.local 前端应用的 client
+        RegisteredClient bClient = RegisteredClient.withId(UUID.randomUUID().toString())
+                .clientId("b-client")
+                .clientSecret(passwordEncoder.encode("b-secret"))
+                .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
+                .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
+                .authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
+                .redirectUri("https://b.local.com/callback")
+                .scope(OidcScopes.OPENID)
+                .scope("read")
+                .clientSettings(ClientSettings.builder().requireAuthorizationConsent(false).build())
+                .tokenSettings(TokenSettings.builder()
+                        .accessTokenTimeToLive(Duration.ofMinutes(10))
+                        .refreshTokenTimeToLive(Duration.ofHours(1))
+                        .build())
+                .build();
 
-        return new InMemoryRegisteredClientRepository(aClient);
+        return new InMemoryRegisteredClientRepository(aClient, bClient);
     }
 
     // 生成 RSA 密钥对
diff --git a/resourceserviceb/.idea/.gitignore b/resourceserviceb/.idea/.gitignore
new file mode 100644
index 0000000..35410ca
--- /dev/null
+++ b/resourceserviceb/.idea/.gitignore
@@ -0,0 +1,8 @@
+# 默认忽略的文件
+/shelf/
+/workspace.xml
+# 基于编辑器的 HTTP 客户端请求
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml
diff --git a/resourceserviceb/.idea/compiler.xml b/resourceserviceb/.idea/compiler.xml
new file mode 100644
index 0000000..730d3e7
--- /dev/null
+++ b/resourceserviceb/.idea/compiler.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="CompilerConfiguration">
+    <annotationProcessing>
+      <profile name="Maven default annotation processors profile" enabled="true">
+        <sourceOutputDir name="target/generated-sources/annotations" />
+        <sourceTestOutputDir name="target/generated-test-sources/test-annotations" />
+        <outputRelativeToContentRoot value="true" />
+        <module name="resourceservice" />
+      </profile>
+    </annotationProcessing>
+  </component>
+  <component name="JavacSettings">
+    <option name="ADDITIONAL_OPTIONS_OVERRIDE">
+      <module name="resourceservice" options="-parameters" />
+    </option>
+  </component>
+</project>
\ No newline at end of file
diff --git a/resourceserviceb/.idea/encodings.xml b/resourceserviceb/.idea/encodings.xml
new file mode 100644
index 0000000..63e9001
--- /dev/null
+++ b/resourceserviceb/.idea/encodings.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="Encoding">
+    <file url="file://$PROJECT_DIR$/src/main/java" charset="UTF-8" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/resourceserviceb/.idea/jarRepositories.xml b/resourceserviceb/.idea/jarRepositories.xml
new file mode 100644
index 0000000..bef82d8
--- /dev/null
+++ b/resourceserviceb/.idea/jarRepositories.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="RemoteRepositoriesConfiguration">
+    <remote-repository>
+      <option name="id" value="central" />
+      <option name="name" value="Central Repository" />
+      <option name="url" value="http://maven.aliyun.com/nexus/content/groups/public/" />
+    </remote-repository>
+    <remote-repository>
+      <option name="id" value="snapshot-repo" />
+      <option name="name" value="Snapshot Repository" />
+      <option name="url" value="http://192.168.10.101:48081/repository/maven-snapshots/" />
+    </remote-repository>
+    <remote-repository>
+      <option name="id" value="release-repo" />
+      <option name="name" value="Release Repository" />
+      <option name="url" value="http://192.168.10.103:48081/repository/maven-public/" />
+    </remote-repository>
+    <remote-repository>
+      <option name="id" value="central" />
+      <option name="name" value="Maven Central repository" />
+      <option name="url" value="https://repo1.maven.org/maven2" />
+    </remote-repository>
+    <remote-repository>
+      <option name="id" value="jboss.community" />
+      <option name="name" value="JBoss Community repository" />
+      <option name="url" value="https://repository.jboss.org/nexus/content/repositories/public/" />
+    </remote-repository>
+  </component>
+</project>
\ No newline at end of file
diff --git a/resourceserviceb/.idea/misc.xml b/resourceserviceb/.idea/misc.xml
new file mode 100644
index 0000000..5ddb3b3
--- /dev/null
+++ b/resourceserviceb/.idea/misc.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ExternalStorageConfigurationManager" enabled="true" />
+  <component name="MavenProjectsManager">
+    <option name="originalFiles">
+      <list>
+        <option value="$PROJECT_DIR$/pom.xml" />
+      </list>
+    </option>
+  </component>
+  <component name="ProjectRootManager" version="2" languageLevel="JDK_23" default="true" project-jdk-name="openjdk-23" project-jdk-type="JavaSDK" />
+</project>
\ No newline at end of file
diff --git a/resourceserviceb/.idea/vcs.xml b/resourceserviceb/.idea/vcs.xml
new file mode 100644
index 0000000..6c0b863
--- /dev/null
+++ b/resourceserviceb/.idea/vcs.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$/.." vcs="Git" />
+  </component>
+</project>
\ No newline at end of file
diff --git a/resourceserviceb/pom.xml b/resourceserviceb/pom.xml
new file mode 100644
index 0000000..cd4ba5e
--- /dev/null
+++ b/resourceserviceb/pom.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>2.7.18</version>
+        <relativePath/> <!-- lookup parent from repository -->
+    </parent>
+    <groupId>com.tuoheng</groupId>
+    <artifactId>resourceservice</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <name>resourceservice</name>
+    <description>Simple RESTful Resource Service</description>
+    <properties>
+        <java.version>11</java.version>
+    </properties>
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+</project> 
\ No newline at end of file
diff --git a/resourceserviceb/src/main/java/com/tuoheng/resourceservice/HelloController.java b/resourceserviceb/src/main/java/com/tuoheng/resourceservice/HelloController.java
new file mode 100644
index 0000000..93b5049
--- /dev/null
+++ b/resourceserviceb/src/main/java/com/tuoheng/resourceservice/HelloController.java
@@ -0,0 +1,18 @@
+package com.tuoheng.resourceservice;
+
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+import java.util.HashMap;
+import java.util.Map;
+
+@RestController
+public class HelloController {
+    @GetMapping("/api/hello")
+    public Map<String, Object> hello() {
+        Map<String, Object> response = new HashMap<>();
+        response.put("message", "Hello from Resource Service!");
+        response.put("timestamp", System.currentTimeMillis());
+        response.put("service", "Resource Service");
+        return response;
+    }
+} 
\ No newline at end of file
diff --git a/resourceserviceb/src/main/java/com/tuoheng/resourceservice/ResourceServiceApplication.java b/resourceserviceb/src/main/java/com/tuoheng/resourceservice/ResourceServiceApplication.java
new file mode 100644
index 0000000..703a94d
--- /dev/null
+++ b/resourceserviceb/src/main/java/com/tuoheng/resourceservice/ResourceServiceApplication.java
@@ -0,0 +1,11 @@
+package com.tuoheng.resourceservice;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class ResourceServiceApplication {
+    public static void main(String[] args) {
+        SpringApplication.run(ResourceServiceApplication.class, args);
+    }
+} 
\ No newline at end of file
diff --git a/resourceserviceb/src/main/resources/application.properties b/resourceserviceb/src/main/resources/application.properties
new file mode 100644
index 0000000..8d51d0c
--- /dev/null
+++ b/resourceserviceb/src/main/resources/application.properties
@@ -0,0 +1 @@
+server.port=8082
\ No newline at end of file
diff --git a/resourceservicehtmlb/callback.html b/resourceservicehtmlb/callback.html
new file mode 100644
index 0000000..0612a41
--- /dev/null
+++ b/resourceservicehtmlb/callback.html
@@ -0,0 +1,204 @@
+<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+    <meta charset="UTF-8">
+    <title>OIDC回调处理</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            max-width: 600px;
+            margin: 50px auto;
+            padding: 20px;
+            background-color: #f5f5f5;
+        }
+        .container {
+            background: white;
+            padding: 30px;
+            border-radius: 8px;
+            box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+            text-align: center;
+        }
+        .status {
+            padding: 15px;
+            margin: 10px 0;
+            border-radius: 5px;
+        }
+        .success { background-color: #d4edda; color: #155724; border: 1px solid #c3e6cb; }
+        .error { background-color: #f8d7da; color: #721c24; border: 1px solid #f5c6cb; }
+        .loading { background-color: #d1ecf1; color: #0c5460; border: 1px solid #bee5eb; }
+        .spinner {
+            border: 4px solid #f3f3f3;
+            border-top: 4px solid #3498db;
+            border-radius: 50%;
+            width: 40px;
+            height: 40px;
+            animation: spin 1s linear infinite;
+            margin: 20px auto;
+        }
+        @keyframes spin {
+            0% { transform: rotate(0deg); }
+            100% { transform: rotate(360deg); }
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>处理OIDC回调</h1>
+        
+        <div id="status" class="status loading">
+            <div class="spinner"></div>
+            <p>正在处理认证回调...</p>
+        </div>
+        
+        <div id="result" style="display: none;">
+            <div id="resultContent"></div>
+            <button onclick="goToMain()" style="margin-top: 20px; padding: 10px 20px; background-color: #007bff; color: white; border: none; border-radius: 5px; cursor: pointer;">
+                返回主页
+            </button>
+        </div>
+    </div>
+
+    <script>
+        // OIDC配置
+        const oidcConfig = {
+            clientId: 'b-client',
+            clientSecret: 'b-secret',
+            redirectUri: 'https://b.local.com/callback',
+            tokenEndpoint: 'https://oidc.local.com/oauth2/token',
+            userInfoEndpoint: 'https://oidc.local.com/userinfo'
+        };
+
+        // 页面加载时执行
+        window.onload = function() {
+            const urlParams = new URLSearchParams(window.location.search);
+            const code = urlParams.get('code');
+            const state = urlParams.get('state');
+            const error = urlParams.get('error');
+
+            if (error) {
+                showError('认证失败: ' + error);
+                return;
+            }
+
+            if (!code) {
+                showError('未收到授权码');
+                return;
+            }
+
+            // 验证state参数
+            const savedState = localStorage.getItem('oauth_state');
+            if (state !== savedState) {
+                showError('状态验证失败，可能存在CSRF攻击');
+                return;
+            }
+
+            // 交换授权码为token
+            exchangeCodeForToken(code);
+        };
+
+        // 交换授权码为token
+        function exchangeCodeForToken(code) {
+            const tokenData = new URLSearchParams();
+            tokenData.append('grant_type', 'authorization_code');
+            tokenData.append('code', code);
+            tokenData.append('redirect_uri', oidcConfig.redirectUri);
+
+            // 使用Basic认证
+            const credentials = btoa(oidcConfig.clientId + ':' + oidcConfig.clientSecret);
+
+            fetch(oidcConfig.tokenEndpoint, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    'Authorization': 'Basic ' + credentials
+                },
+                body: tokenData
+            })
+            .then(response => {
+                if (!response.ok) {
+                    return response.json().then(err => {
+                        throw new Error(`Token交换失败: ${err.error || response.statusText}`);
+                    });
+                }
+                return response.json();
+            })
+            .then(data => {
+                if (data.access_token) {
+                    // 保存token
+                    localStorage.setItem('access_token', data.access_token);
+                    if (data.refresh_token) {
+                        localStorage.setItem('refresh_token', data.refresh_token);
+                    }
+                    
+                    // 清除state
+                    localStorage.removeItem('oauth_state');
+                    
+                    showSuccess('认证成功！正在获取用户信息...');
+                    
+                    // 获取用户信息
+                    return fetch(oidcConfig.userInfoEndpoint, {
+                        headers: {
+                            'Authorization': `Bearer ${data.access_token}`
+                        }
+                    });
+                } else {
+                    throw new Error('响应中未包含access_token');
+                }
+            })
+            .then(response => {
+                if (!response.ok) {
+                    throw new Error('获取用户信息失败');
+                }
+                return response.json();
+            })
+            .then(userInfo => {
+                showSuccess(`认证成功！欢迎 ${userInfo.sub || 'user'}`);
+            })
+            .catch(error => {
+                console.error('认证过程出错:', error);
+                showError('认证失败: ' + error.message);
+            });
+        }
+
+        // 显示成功信息
+        function showSuccess(message) {
+            document.getElementById('status').className = 'status success';
+            document.getElementById('status').innerHTML = `
+                <h3>✅ 成功</h3>
+                <p>${message}</p>
+            `;
+            
+            setTimeout(() => {
+                document.getElementById('result').style.display = 'block';
+                document.getElementById('resultContent').innerHTML = `
+                    <h3>认证完成</h3>
+                    <p>您已成功登录系统B</p>
+                    <p>Token已保存到本地存储</p>
+                `;
+            }, 1000);
+        }
+
+        // 显示错误信息
+        function showError(message) {
+            document.getElementById('status').className = 'status error';
+            document.getElementById('status').innerHTML = `
+                <h3>❌ 错误</h3>
+                <p>${message}</p>
+            `;
+            
+            setTimeout(() => {
+                document.getElementById('result').style.display = 'block';
+                document.getElementById('resultContent').innerHTML = `
+                    <h3>认证失败</h3>
+                    <p>请检查错误信息并重试</p>
+                `;
+            }, 1000);
+        }
+
+        // 返回主页
+        function goToMain() {
+            window.location.href = '/';
+        }
+    </script>
+</body>
+</html> 
\ No newline at end of file
diff --git a/resourceservicehtmlb/index.html b/resourceservicehtmlb/index.html
new file mode 100644
index 0000000..da3fd42
--- /dev/null
+++ b/resourceservicehtmlb/index.html
@@ -0,0 +1,294 @@
+<!DOCTYPE html>
+<html lang="zh-CN">
+<head>
+    <meta charset="UTF-8">
+    <title>系统B - OIDC登录</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            max-width: 800px;
+            margin: 0 auto;
+            padding: 20px;
+            background-color: #f5f5f5;
+        }
+        .container {
+            background: white;
+            padding: 30px;
+            border-radius: 8px;
+            box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+        }
+        .status {
+            padding: 15px;
+            margin: 10px 0;
+            border-radius: 5px;
+        }
+        .success { background-color: #d4edda; color: #155724; border: 1px solid #c3e6cb; }
+        .error { background-color: #f8d7da; color: #721c24; border: 1px solid #f5c6cb; }
+        .info { background-color: #d1ecf1; color: #0c5460; border: 1px solid #bee5eb; }
+        button {
+            background-color: #007bff;
+            color: white;
+            border: none;
+            padding: 10px 20px;
+            border-radius: 5px;
+            cursor: pointer;
+            margin: 5px;
+        }
+        button:hover { background-color: #0056b3; }
+        .logout { background-color: #dc3545; }
+        .logout:hover { background-color: #c82333; }
+        .api-result {
+            background-color: #f8f9fa;
+            padding: 15px;
+            border-radius: 5px;
+            margin: 10px 0;
+            white-space: pre-wrap;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>系统B - OIDC登录</h1>
+        
+        <div id="status" class="status info">
+            正在检查登录状态...
+        </div>
+        
+        <div id="userInfo" style="display: none;">
+            <h2>用户信息</h2>
+            <div id="userDetails"></div>
+            <button onclick="callApi()">调用API</button>
+            <button class="logout" onclick="logout()">退出登录</button>
+        </div>
+        
+        <div id="loginSection" style="display: none;">
+            <h2>请登录</h2>
+            <button onclick="login()">登录到OIDC</button>
+        </div>
+        
+        <div id="apiResult" class="api-result" style="display: none;"></div>
+    </div>
+
+    <script>
+        // OIDC配置
+        const oidcConfig = {
+            clientId: 'b-client',
+            clientSecret: 'b-secret',
+            redirectUri: 'https://b.local.com/callback',
+            authorizationEndpoint: 'https://oidc.local.com/oauth2/authorize',
+            tokenEndpoint: 'https://oidc.local.com/oauth2/token',
+            userInfoEndpoint: 'https://oidc.local.com/userinfo',
+            scope: 'openid read'
+        };
+
+        // 检查URL参数中的授权码
+        const urlParams = new URLSearchParams(window.location.search);
+        const code = urlParams.get('code');
+        const state = urlParams.get('state');
+
+        // 页面加载时执行
+        window.onload = function() {
+            if (code) {
+                // 有授权码，处理回调
+                handleCallback(code, state);
+            } else {
+                // 检查现有token
+                checkAuthStatus();
+            }
+        };
+
+        // 检查认证状态
+        function checkAuthStatus() {
+            const token = localStorage.getItem('access_token');
+            if (token) {
+                // 验证token是否有效
+                validateToken(token);
+            } else {
+                showLoginSection();
+            }
+        }
+
+        // 验证token
+        function validateToken(token) {
+            fetch('https://oidc.local.com/userinfo', {
+                headers: {
+                    'Authorization': `Bearer ${token}`
+                }
+            })
+            .then(response => {
+                if (response.ok) {
+                    return response.json();
+                } else {
+                    throw new Error('Token无效');
+                }
+            })
+            .then(userInfo => {
+                showUserInfo(userInfo);
+            })
+            .catch(error => {
+                console.error('Token验证失败:', error);
+                localStorage.removeItem('access_token');
+                localStorage.removeItem('refresh_token');
+                showLoginSection();
+            });
+        }
+
+        // 显示用户信息
+        function showUserInfo(userInfo) {
+            document.getElementById('status').className = 'status success';
+            document.getElementById('status').textContent = '登录成功！';
+            
+            document.getElementById('userInfo').style.display = 'block';
+            document.getElementById('loginSection').style.display = 'none';
+            
+            document.getElementById('userDetails').innerHTML = `
+                <p><strong>用户名:</strong> ${userInfo.sub || 'user'}</p>
+                <p><strong>Token:</strong> ${localStorage.getItem('access_token').substring(0, 50)}...</p>
+            `;
+        }
+
+        // 显示登录部分
+        function showLoginSection() {
+            document.getElementById('status').className = 'status info';
+            document.getElementById('status').textContent = '请登录以继续';
+            
+            document.getElementById('userInfo').style.display = 'none';
+            document.getElementById('loginSection').style.display = 'block';
+        }
+
+        // 登录
+        function login() {
+            const state = generateRandomString();
+            localStorage.setItem('oauth_state', state);
+            
+            const authUrl = new URL(oidcConfig.authorizationEndpoint);
+            authUrl.searchParams.set('response_type', 'code');
+            authUrl.searchParams.set('client_id', oidcConfig.clientId);
+            authUrl.searchParams.set('redirect_uri', oidcConfig.redirectUri);
+            authUrl.searchParams.set('scope', oidcConfig.scope);
+            authUrl.searchParams.set('state', state);
+            
+            window.location.href = authUrl.toString();
+        }
+
+        // 处理回调
+        function handleCallback(code, state) {
+            const savedState = localStorage.getItem('oauth_state');
+            if (state !== savedState) {
+                document.getElementById('status').className = 'status error';
+                document.getElementById('status').textContent = '状态验证失败';
+                return;
+            }
+
+            // 交换授权码为token
+            exchangeCodeForToken(code);
+        }
+
+        // 交换授权码为token
+        function exchangeCodeForToken(code) {
+            const tokenData = new URLSearchParams();
+            tokenData.append('grant_type', 'authorization_code');
+            tokenData.append('code', code);
+            tokenData.append('redirect_uri', oidcConfig.redirectUri);
+
+            // 使用Basic认证
+            const credentials = btoa(oidcConfig.clientId + ':' + oidcConfig.clientSecret);
+
+            fetch(oidcConfig.tokenEndpoint, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/x-www-form-urlencoded',
+                    'Authorization': 'Basic ' + credentials
+                },
+                body: tokenData
+            })
+            .then(response => response.json())
+            .then(data => {
+                if (data.access_token) {
+                    localStorage.setItem('access_token', data.access_token);
+                    if (data.refresh_token) {
+                        localStorage.setItem('refresh_token', data.refresh_token);
+                    }
+                    
+                    // 获取用户信息
+                    return fetch(oidcConfig.userInfoEndpoint, {
+                        headers: {
+                            'Authorization': `Bearer ${data.access_token}`
+                        }
+                    });
+                } else {
+                    throw new Error('获取token失败: ' + JSON.stringify(data));
+                }
+            })
+            .then(response => response.json())
+            .then(userInfo => {
+                // 清除URL中的参数
+                window.history.replaceState({}, document.title, window.location.pathname);
+                showUserInfo(userInfo);
+            })
+            .catch(error => {
+                console.error('Token交换失败:', error);
+                document.getElementById('status').className = 'status error';
+                document.getElementById('status').textContent = '登录失败: ' + error.message;
+            });
+        }
+
+        // 调用API
+        function callApi() {
+            const token = localStorage.getItem('access_token');
+            if (!token) {
+                alert('请先登录');
+                return;
+            }
+
+            document.getElementById('apiResult').style.display = 'block';
+            document.getElementById('apiResult').textContent = '正在调用API...';
+
+            fetch('/api/hello', {
+                headers: {
+                    'Authorization': `Bearer ${token}`
+                }
+            })
+            .then(response => {
+                if (response.ok) {
+                    return response.json();
+                } else {
+                    throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+                }
+            })
+            .then(data => {
+                document.getElementById('apiResult').textContent = 'API调用成功:\n' + JSON.stringify(data, null, 2);
+            })
+            .catch(error => {
+                document.getElementById('apiResult').textContent = 'API调用失败:\n' + error.message;
+            });
+        }
+
+        // 退出登录
+        function logout() {
+            // 清理本地token
+            localStorage.removeItem('access_token');
+            localStorage.removeItem('refresh_token');
+            localStorage.removeItem('oauth_state');
+            // 获取id_token（如果有）
+            const idToken = localStorage.getItem('id_token'); // 登录时保存id_token
+            // 退出后跳转到首页
+            const redirectUri = encodeURIComponent('https://b.local.com');
+            // 拼接logout url
+            let logoutUrl = `https://b.local.com/oidc-logout?post_logout_redirect_uri=${redirectUri}`;
+            if (idToken) {
+                logoutUrl += `&id_token_hint=${idToken}`;
+            }
+            // 跳转到OIDC logout端点
+            window.location.href = logoutUrl;
+        }
+
+        // 生成随机字符串
+        function generateRandomString() {
+            const array = new Uint32Array(28);
+            window.crypto.getRandomValues(array);
+            return Array.from(array, dec => ('0' + dec.toString(16)).substr(-2)).join('');
+        }
+    </script>
+</body>
+</html> 
\ No newline at end of file