-
Notifications
You must be signed in to change notification settings - Fork 3.4k
OAuth2 integration #179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
not yet |
Checking one month later - is there some roadmap for implementing this feature please? It would be great to know the plans so that we can adjust ours :) |
You can do it on separate UAA, not on gateway. In our case, this approach works perfect. |
Hello, Components: (based on spring boot v. 1.5.9.RELEASE, cloud v. Edgware.RELEASE)
Any idea how to migrate the gateway to spring boot 2.0.0? |
The problem is that Spring Security hasn't completely caught up with the new reactive stuff that the gateway uses. Apparently resource servers will be supported mid-2018: https://spring.io/blog/2018/01/30/next-generation-oauth-2-0-support-with-spring-security |
need this also.how is the progress. |
There has been no progress |
1 similar comment
There has been no progress |
@spencergibb Is there any chance of a rough timeline for this? I'm sure I'm not the only wondering if it's worth waiting, or if we should migrate to the gateway now and put in a temporary homegrown solution to have it behave like a resource server. |
@rworsnop and anyone else looking, this is actually pretty easy to do yourself in the interim. I'm posting here to help others as I spent the best part of three days trying to work it out. Also, would be good to know from @spencergibb if he can foresee any problems with this approach. We were implementing a first time gateway and didn't really want to implement a Zuul solution given the SCG was available BUT we also wanted to be able to use token authentication on the SCG and this what we came up with. I can't post full code samples unfortunately but what I can post should be enough to get people started. The way the Spring Cloud Gateway works is similar to the normal web security flow in that filters are used for pretty much everything :) so you're going to need one of those. In fact you'll need an The 'Converter' is responsible for extracting the bearer token from the HTTP Authorization header. This is returned to the filter which then calls So, on to the code....
The
The We then simply delegate the authenticate call to
We just need to wire these things together now and
One final thing worth mentioning here is the I really hope this can help others get over the hurdle until the Spring guys can get this implemented properly in the SCG. I'm sure whatever they come up with will be a lot more elegant than this solution but at least this works in the interim. I'd really appreciate any comments that anyone may have, good, bad or otherwise - oh, and apologies for the long post! |
Thanks for taking the time to write this, @andye2004 . It looks really useful. |
@andye2004 What does your POM look like? |
@Alos, we're currently running SB 2.0.3 and we use our own top level parent POM so we can over-ride some of the default versions of things like lombok that come with SB and also to ensure all of our services have specific things included by default (cloud config, common banners, discovery-client, tracing etc). I can't post our POMs as is so I've quickly pieced together what you will probably need to make the above work. If something doesn't work post back and I can probably modify this as necessary. <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
<!-- Standard Maven properties we use in every project -->
<java.version>1.8</java.version>
<maven.compiler.source>${java.version}</maven.compiler.source>
<maven.compiler.target>${java.version}</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<spring-cloud.version>Finchley.RELEASE</spring-cloud.version>
<spring-security-jwt.version>1.0.9.RELEASE</spring-security-jwt.version>
<spring-security-oauth2.version>2.0.14.RELEASE</spring-security-oauth2.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>${spring-security-oauth2.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-jwt</artifactId>
<version>${spring-security-jwt.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
....
<plugin>
<!-- Builds executable Springboot fatjars -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration>
<executable>true</executable>
</configuration>
<executions>
<execution>
<goals>
<goal>build-info</goal>
</goals>
</execution>
</executions>
</plugin>
....
</plugins>
</build>
</project> |
@spencergibb Hi, we found that the spring cloud gateway already has the latest version (Greenwich.BUILD-SNAPSHOT), is it already able to support OAuth2 integration? |
No |
Does the problem coming from scg directly or it is about spring security only? |
@andye2004 I am trying to validate the token from a url like @Resourceserver does, looks like the skeleton you gave is validating the token against a inMemory store. How to configure the url to validate the token? Any pointers? |
@minisha are you using a 3rd party OAuth provider? If not, what I've shown here is probably the most performant way to do it, e.g. use the same If you are using a 3rd party OAuth provider then you would need to write your own implementation of 'ResourceServerTokenServices' to actually make the call out to the 3rd party to validate the token. A look at the Spring code base should give a really good head start on how to do this. |
@andye2004 Yes, I am using a third party service. In spring boot app the below configuration will make sure the signature of the token is correct by fetching the key from the given url and validating I suppose. security: |
@andye2004 Your code expect the token to be store inmemory after authentication isnt? Then in the subsequent request, the incoming token is validated against the token inMemory? Did I get this correctly? |
@minisha, the code your looking at in my post is a very simplified version of our actual codebase and could be easily adapted to fetch the key from a 3rd party OAuth provider at start-up then store it in memory. I believe there is an example on the JHipster (by Matt Raible) website that explains exactly how to do this. Sorry, I don't have time at the moment to go looking for it. Apologies, it wasn't Matt Raible, nor JHipster. It was Okta and Brian Demers, see here https://developer.okta.com/blog/2018/04/02/client-creds-with-spring-boot, they have a link to Spring boot starter that might also help you out. |
Spring Security 5.1 support WebFlux- OAuth2. https://docs.spring.io/spring-security/site/docs/5.1.0.RELEASE/reference/htmlsingle/#new Has anyone tested it with Spring Cloud Gateway? |
I have tried enabling this faced a lot of compatibility issues. have raised this as part of issue #585 |
Here is an example of it working using milestones https://github.com/rwinch/spring-security51-by-example-reactive |
@andye2004 I have used your code to make it work. However I am struggling with configuring CORS with this configuration. I have tried all ways mentioned in the documentation for CORS configuration but it is not working. (I am using spring security starter 2.0.0) |
Hello all, This issue is stopping us from migrating to Spring boot 2 so I would need to find another solution if Spring cloud gateway will not support OAuth2. |
@bassmake OAuth2 Integration exists in Spring Cloud Security. Did you check it? https://cloud.spring.io/spring-cloud-security/single/spring-cloud-security.html#_client_token_relay_in_spring_cloud_gateway |
@making |
@bassmake in the sample above, resource sever validates JWT. |
@bassmake I put a (rather lengthy) post here that explains how to do pretty much what you are looking for. It looks more daunting than it actually is, take the time to understand what it is doing and you'll see it's actually quite simple. If you are using a 3rd party OAuth2 provider you would need to call their endpoint to get the JWKS in order to authenticate the token. That's about the only bit missing from that example. |
I didn't even notice that this was now in there. Need to look a bit deeper now..... |
Apologies Amit, I've been away from work for a few months and I have only just seen this. Did you resolve your problem? |
@andye2004 |
@bassmake I think your issue is different than what this issue was originally describing (which is the gateway acting as an oauth2 client). You want the gateway to validate tokens. I guess I dont actually understand what is blocking you from doing that today. |
this is the first comment:
so maybe this issue could be closed and create more specific one if this is already possible. |
@bassmake Possibly I am just wondering why this doesnt work? https://docs.spring.io/spring-security/site/docs/current/reference/html/webflux-oauth2.html#webflux-oauth2-resource-server |
thank you @ryanjbaxter, |
We have been using `WebClientHttpRoutingFilter` configured with a `WebClient` that relays OAuth2 access tokens (including refreshing tokens), making use of [`ServerOAuth2AuthorizedClientExchangeFilterFunction`](https://github.com/spring-projects/spring-security/blob/5.1.4.RELEASE/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServerOAuth2AuthorizedClientExchangeFilterFunction.java#L93). This has worked well for us (also cf. #179 and [#171 from spring-cloud-security](spring-attic/spring-cloud-security#171)).
@ryanjbaxter provided link works for my case, thanks again |
Can this example somehow be used in conjunction with |
@chrisovergaauw I dont see why not, you are just changing how the routes are created. |
@ryanjbaxter thanks for responding so quickly. I do not intend to abuse the issue tracker though. What channel is best used for questions regarding SCG? Stackoverflow maybe? |
Stackoverflow or Gitter |
This comment has been minimized.
This comment has been minimized.
I believe that this is resolved, closing |
@spencergibb according to https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Features-Matrix I have zuul1 gateway and it's acting as OAuth2 Client SSO (using @EnableOAuth2Sso) |
@peter-kori see this sample for an example https://github.com/spring-cloud-samples/sample-gateway-oauth2login |
@ryanjbaxter |
Since gateway is just a webflux application, any other integration would be via spring security |
I would like to use spring-cloud-gateway now, how can I refer to oauth2 to the project, I want the interface to access the gateway for forwarding, and then authenticate, this is done at the gateway. |
Hello, has it got out ? I am awaiting. |
Is this issue resolved? Wondering.. |
Hello guys,
I have gateway which is written with zuul1 and it's actually @ ResourceServer in terms of oauth2. Do you know if cloud api gateway has an integration with oauth2?
The text was updated successfully, but these errors were encountered: