Implementing authentication and authorization using Zuul Proxy, Oauth2 on REST Microservices

Question

I am trying to implement the above architecture in the workflow with Spring Boot.

• Web client makes a request to Resource Server (Microservices Endpoints)

Answer 1

I've been struggling with same security design issue for microservice architecture based on spring cloud solution. I only find this article shedding some light on it: https://developer.okta.com/blog/2018/02/13/secure-spring-microservices-with-oauth

But it's pertaining to Okta sso service provider, not a generic solution to other oauth2 server like keycloak.

I also saw some solutions on how to protect gateway and microservice with oauth2 server like this one: https://github.com/jgrandja/oauth2login-gateway

But it doesn't take into consideration the web client.

Answer 2

I am not sure whether you were able to resolve this, I can see this is not answered yet, but there is a way you can pass all information from JWT to all downstream microservices. Write your own ZuulAuthenticationFilter, and then create below method

private void addClaimHeaders(RequestContext context, String token) {
    
    try {
        
        Map<String, Claim> claims = jwtTokenVerifier.getAllClaims(token);
        claims.forEach((key, claim) -> {
            
            context.addZuulRequestHeader("x-user-info-"+key, String.valueOf(claim.as(Object.class)));
        });
        
    }catch(Exception ex) {
        
        log.error("Error in setting zuul header : "+ex.getMessage(), ex);
    }
}

this way, you will get information from JWT in headers in each microservice, headers that starts with "x-user-info-" will have your JWT details

Answer 3

Unfortunately, I don't have complete answer, only some parts:

Once JWT token is available to the zuul proxy then every microservice can authorize requests by configuring its resource server, e.g.

 @Override
  public void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests().anyRequest().access("#oauth2.hasScope('microserviceA.read')").and()
        .csrf().disable()
        .httpBasic().disable();
  }

Scopes could be managed by the oauth microservice with a database - basing on the client credentials it will take the scopes info and encode into JWT token.

What I don't know at the moment - how to make the zuul proxy to use "web client" credentials to authorize itself by the oauth - I don't want to hard-code zuul proxy credentials because then the web-client creds won't be used.

I've just posted similar question on this topic: Authorizing requests through spring gateway with zool via oauth server

update: I've found article describing almost this configuration (without eureka, but it doesn't that add much complexity from my experience): https://www.baeldung.com/spring-security-zuul-oauth-jwt, there is github project with source code. The source code is unfortunately not polished as it's being used by the author for his commercial courses. But I've managed to build from his examples working set.

Summary: in the described architecture every resource server (microservice A, B, ..) receive JWT token forwarded by the zuul proxy/gateway from the requesting client. The token is forwarded in a request header. If there is no valid token provided then the gateway will redirect the request to authorization page. Also every resource server can check the token with the oauth service and if required do scope checking as I wrote above.

Answer 4

There is an implementation of the above architecture in following link: https://www.baeldung.com/spring-security-zuul-oauth-jwt