{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 迷人小祖宗 的问题《Implementing authentication and authorization usin》','https://www.manongdao.com/q-1318186.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am trying to implement the above architecture in the workflow with Spring Boot.
- Web client makes a request to Resource Server (Microservices Endpoints) through Zuul Proxy.
- Zuul Proxy redirects to oauth2 server for authentication.
- Oauth2 redirects to Zuul Proxy if the request is authenticated or not.
- If not authenticated, Zuul redirects Web client with an unauthenticated response.
- If Authenticated, Zull proxy redirects to the requested microservice endpoint.
- Microservice endpoint checks if the user is authorized (user level access) to access the resource or not.
- Microservice also could make internal rest call to other microservice.
- Finally, the requested resource is sent back to the client.
I want to make sure I am following the correct workflow.
I would like to know if there is any solution which has implemented a similar kind for securing microservices APIs.
I have confusion on:
- How can we pass the user details to the microservices so that the microservices can do their own level of user authorization?
- Should the OAuth2 Access Token header be passed to each microservices such that microservices can validate the token separately?
- Should each Microservice use secret credentials to validate the access token so that the token cannot be forged along the request chain?
I know its a bit of lengthy question. But I have not found a proper solution to above architecture.
There is an implementation of the above architecture in following link: https://www.baeldung.com/spring-security-zuul-oauth-jwt
Unfortunately, I don't have complete answer, only some parts:
Once JWT token is available to the zuul proxy then every microservice can authorize requests by configuring its resource server, e.g.
Scopes could be managed by the oauth microservice with a database - basing on the client credentials it will take the scopes info and encode into JWT token.
What I don't know at the moment - how to make the zuul proxy to use "web client" credentials to authorize itself by the oauth - I don't want to hard-code zuul proxy credentials because then the web-client creds won't be used.
I've just posted similar question on this topic: Authorizing requests through spring gateway with zool via oauth server
update: I've found article describing almost this configuration (without eureka, but it doesn't that add much complexity from my experience): https://www.baeldung.com/spring-security-zuul-oauth-jwt, there is github project with source code. The source code is unfortunately not polished as it's being used by the author for his commercial courses. But I've managed to build from his examples working set.
Summary: in the described architecture every resource server (microservice A, B, ..) receive JWT token forwarded by the zuul proxy/gateway from the requesting client. The token is forwarded in a request header. If there is no valid token provided then the gateway will redirect the request to authorization page. Also every resource server can check the token with the oauth service and if required do scope checking as I wrote above.
I've been struggling with same security design issue for microservice architecture based on spring cloud solution. I only find this article shedding some light on it: https://developer.okta.com/blog/2018/02/13/secure-spring-microservices-with-oauth
But it's pertaining to Okta sso service provider, not a generic solution to other oauth2 server like keycloak.
I also saw some solutions on how to protect gateway and microservice with oauth2 server like this one: https://github.com/jgrandja/oauth2login-gateway
But it doesn't take into consideration the web client.