Implementing authentication and authorization using Zuul Proxy, Oauth2 on REST Microservices

Asked 23/1, 2019 at 17:2 Answered 5/8, 2020 at 13:12

spring-boot oauth-2.0 microservices spring-security-oauth2 netflix-zuul

I am trying to implement the above architecture in the workflow with Spring Boot.

Web client makes a request to Resource Server (Microservices Endpoints) through Zuul Proxy.
Zuul Proxy redirects to oauth2 server for authentication.
Oauth2 redirects to Zuul Proxy if the request is authenticated or not.
If not authenticated, Zuul redirects Web client with an unauthenticated response.
If Authenticated, Zull proxy redirects to the requested microservice endpoint.
Microservice endpoint checks if the user is authorized (user level access) to access the resource or not.
Microservice also could make internal rest call to other microservice.
Finally, the requested resource is sent back to the client.

I want to make sure I am following the correct workflow.

I would like to know if there is any solution which has implemented a similar kind for securing microservices APIs.

I have confusion on:

How can we pass the user details to the microservices so that the microservices can do their own level of user authorization?
Should the OAuth2 Access Token header be passed to each microservices such that microservices can validate the token separately?
Should each Microservice use secret credentials to validate the access token so that the token cannot be forged along the request chain?

I know its a bit of lengthy question. But I have not found a proper solution to above architecture.

Fix answered 23/1, 2019 at 17:2 Comment(3)

Please share your findings here. I think this is a very good way to have microservices working together and am looking to do the same – Dudgeon 17/1, 2020 at 19:4

Please have a look for Zuul acting as a OAuth2.0 client in here : baeldung.com/spring-security-zuul-oauth-jwt – Dekko 1/4, 2020 at 19:51

@Ananda: if you got it working, would you mind putting some details here? – Disentangle 16/5, 2020 at 20:28

Unfortunately, I don't have complete answer, only some parts:

Once JWT token is available to the zuul proxy then every microservice can authorize requests by configuring its resource server, e.g.

 @Override
  public void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests().anyRequest().access("#oauth2.hasScope('microserviceA.read')").and()
        .csrf().disable()
        .httpBasic().disable();
  }

Scopes could be managed by the oauth microservice with a database - basing on the client credentials it will take the scopes info and encode into JWT token.

What I don't know at the moment - how to make the zuul proxy to use "web client" credentials to authorize itself by the oauth - I don't want to hard-code zuul proxy credentials because then the web-client creds won't be used.

I've just posted similar question on this topic: Authorizing requests through spring gateway with zool via oauth server

update: I've found article describing almost this configuration (without eureka, but it doesn't that add much complexity from my experience): https://www.baeldung.com/spring-security-zuul-oauth-jwt, there is github project with source code. The source code is unfortunately not polished as it's being used by the author for his commercial courses. But I've managed to build from his examples working set.

Summary: in the described architecture every resource server (microservice A, B, ..) receive JWT token forwarded by the zuul proxy/gateway from the requesting client. The token is forwarded in a request header. If there is no valid token provided then the gateway will redirect the request to authorization page. Also every resource server can check the token with the oauth service and if required do scope checking as I wrote above.

Mccandless answered 8/2, 2019 at 20:51 Comment(0)

I've been struggling with same security design issue for microservice architecture based on spring cloud solution. I only find this article shedding some light on it: https://developer.okta.com/blog/2018/02/13/secure-spring-microservices-with-oauth

But it's pertaining to Okta sso service provider, not a generic solution to other oauth2 server like keycloak.

I also saw some solutions on how to protect gateway and microservice with oauth2 server like this one: https://github.com/jgrandja/oauth2login-gateway

But it doesn't take into consideration the web client.

Weisburgh answered 2/5, 2019 at 8:43 Comment(1)

The second link is an implementation based on Spring Cloud Gateway not Zuul. – Janinejanis 27/5, 2019 at 11:6

I am not sure whether you were able to resolve this, I can see this is not answered yet, but there is a way you can pass all information from JWT to all downstream microservices. Write your own ZuulAuthenticationFilter, and then create below method

private void addClaimHeaders(RequestContext context, String token) {
    
    try {
        
        Map<String, Claim> claims = jwtTokenVerifier.getAllClaims(token);
        claims.forEach((key, claim) -> {
            
            context.addZuulRequestHeader("x-user-info-"+key, String.valueOf(claim.as(Object.class)));
        });
        
    }catch(Exception ex) {
        
        log.error("Error in setting zuul header : "+ex.getMessage(), ex);
    }
}

this way, you will get information from JWT in headers in each microservice, headers that starts with "x-user-info-" will have your JWT details

Proterozoic answered 5/8, 2020 at 13:12 Comment(0)

-1

There is an implementation of the above architecture in following link: https://www.baeldung.com/spring-security-zuul-oauth-jwt

Charger answered 14/4, 2020 at 5:30 Comment(0)

Recommended topics

Hot tags