Spring Cloud + Zuul + JWT for Value/Reference Tokens

25
votes

After reading the article How To Control User Identity Within Microservices I've been trying to implement such access control scheme (Value and Reference Tokens), but after going through multiple other topics and examples in GitHub related to Spring Security + OAuth + Zuul, I couldn't find concrete examples on how this can be achieved. All the examples that involve JWT return User Details when the token is returned, and that is what I would like to avoid. The User Details should never reach the Client directly but should be passed to the backend services instead. The tutorial Spring Security + AngularJs has a lot of information on how to evolve an application towards a secure one, but uses an Access Token or mentions the possibility of getting the User Details directly via JWT.

This SO question, Using Zuul as an authentication gateway by @phoenix7360, is exactly the approach I've been trying to implement but it only supplies a brief overview of the configuration required to carry out this kind of security approach for microservices. Please refer to the image in this question for a clear picture of how it would go.

I can't fully get my head around how the Zuul Pre-Filter should be configured and what the Authorization Server's configuration should look like. As stated in both the article and the SO question, the flow would go something like this:

External (HTTPS)

  1. The client authenticates against OAuth2 Server
  2. OAuth Server returns an opaque Access Token (a UUID with no other information)
  3. The client sends the request to the API Gateway with the Access Token in the Authorization header
  4. API Gateway requests User Details to the OAuth Server with the Access Token in the Authorization header
  5. OAuth Server checks the Access Token is valid and returns User Information in JSON format

Internal (HTTP/S)

  1. API Gateway creates a JWT with User Details and signs it with a private key
  2. API Gateway adds the JWT to request and forwards it to Resource Server
  3. Resource Server verifies the JWT using API Gateway's public key

Note: API Gateway should return an error if OAuth Server indicates Access Token is no longer valid.

How would the ZuulFilter work? Does a new request need to be issued against the OAuth Server (for instance, via RestTemplate), or are these schemes supported with the current implementation? Is there any particular configuration required for the JavaConfig classes for both OAuth and Zuul? If someone knows of a working example that would be really helpful and would be great for future reference regarding this topic.

I'm using Spring Boot (1.4.0-M3) + Spring OAuth + Spring Cloud (Eureka, Ribbon, Zuul)

I know this question is very similar to the one linked previously, and if this is not the right way of doing it I apologize, but I thought a new thread would be better than asking for help on a SO thread that aimed at solving another problem.

Thanks in advance!

1
spring-securityoauthspring-bootjwtnetflix-zuul
github.com/azizkhani/PiggyMetricsali akbar azizkhani
jhipster.github.io/microservices-architectureali akbar azizkhani
if you want have UAA i think zuul dose not need check token and call AuthorizeServer .but when u dose not have UAA,i think Api Gateway is AuthorizeServer.but in service to service call required OAuth2RestTemplate that get token before call service methodali akbar azizkhani
why would you want to do this in the gateway? i do understand if you want to check incoming JWTs for validity, just in case, but your services will also need to consume (and verify) the tokens. but in general, your flow seems good. except one thing: the request with the Oauth access token should be verified first, then upon succes you can create the JWT and sign it - and throw an error if the token is bad. you will also need to consider an endpoint for other services to retrieve the public key needed to verify the signature.rmalchow

1 Answers

1
votes

JHipster does a pretty good job in handling this issue. If I want to tell the login process briefly, first you do login, in time you fetch every information you need to pass to your below services (such as username,email,etc) then you pass them to your microservices. you can see the link below from okta for more information https://developer.okta.com/blog/2018/03/01/develop-microservices-jhipster-oauth