发表新帖
发表新帖

Spring OAuth Authorization Server behind Spring Cloud Zuul Proxy

后端 未结
关注
2 1760
伪装坚强ぢ
伪装坚强ぢ 2020-12-12 14:53

I am currently developing a application based on a micro service architecture. We use a API-Gateway implemented using Spring Cloud Netfix\'s Zuul Server to route the request

相关标签:
2条回答
  • 北荒
    2020-12-12 15:10

    As far as I understand your question, spring-cloud-security (for the EnableOauth2Sso part) and spring-cloud (for zuul), this is not possible to proxy the calls to the authorization server using zuul. The main reason being that spring-cloud-security secures the Gateway independently (and before accounting for) Zuul routing's logic.

    Which means that the (sample configuration from Dave Syer's OAuth2 example) spring.oauth2.client.* configuration

    spring:
  oauth2:
    client:
      accessTokenUri: http://localhost:9999/uaa/oauth/token
      userAuthorizationUri: http://localhost:9999/uaa/oauth/authorize
      clientId: acme
      clientSecret: acmesecret

    is considered before allowing any access to the Zuul's routes zuul.routes.*

    Moreover this setup enables the client agent to store two Cookies: one for the Gateway and one for the Authorization Server.

    I hope this helps.

    0 讨论(0)
  • 盖世英雄少女心
    2020-12-12 15:20

    Update: POC can be found here https://github.com/kakawait/uaa-behind-zuul-sample

    Did you try following setup (on zuul server):

    zuul:
  routes:
    uaa-service:
      path: /uaa/**
      stripPrefix: false

security:
  # Disable Spring Boot basic authentication
  basic:
    enabled: false
  oauth2:
    sso:
      loginPath: /login
    client:
      accessTokenUri: https://<zuul hostname>/uaa/oauth/token
      userAuthorizationUri: https://<zuul hostname>/uaa/oauth/authorize
      ...

    Basically it works on my project only thing I have to do is to disable CSRF protection on /uaa/oauth/token route.

    Auth server should be on

    server:
  # Use different context-path to avoid session cookie overlapping
  context-path: /uaa

    Tested using Spring-Cloud.Brixton.M3

    Thank to @thomas-letsch, you should tweak you security like following (sample)

    public void configure(HttpSecurity http) throws Exception { 
    http.logout().and()
        .antMatcher("/**").authorizeRequests() 
        .antMatchers("/index.html", "/home.html", "/", "/uaa/oauth/**").permitAll() 
        .anyRequest().authenticated().and() 
        .csrf().csrfTokenRepository(getCSRFTokenRepository()).ignoringAntMatchers("/uaa/‌​oauth/token").and() 
        .addFilterAfter(createCSRFHeaderFilter(), CsrfFilter.class); 
}
    0 讨论(0)
 看不清?
提交回复
热议问题