JHipster: How to make secure calls to microservices from UAA server with unauthenticated user

Question

Dear StackOverflow Community,

I found that someone else already asked something similar to my problem here but didn't receive any good answers.

I want to create an entity on microservice A as soon as a User gets activated on the UAA server (when activateAccount() is called in the AccountResource). At this point the user is not authenticated and therefor I'm not able to use an AuthenticatedFeignClient, as I would on other microservices. When I disable authentication on microservice A and use a FeignClient as described in the JHipster Docs, it works as expected, but I don't want to leave the endpoint reachable from the outside. Is there a way to let the UAA server authenticate itself or only allow the UAA server to access this specific endpoint in microservice A's API?

Edit:

I finally got it to work by using AuthenticatedFeignClient. I simply copied the client package and FeignConfiguration from the microservice to the uaa server and changed the security settings in application-dev.yml and application-prod.yml as follows:

security:
    client-authorization: 
    access-token-uri: uaa/oauth/token 
    token-service-id: uaa 
    client-id: internal 
    client-secret: internal

I think you're looking for https://www.jhipster.tech/using-uaa/#inter-service-communication — Jon Ruddell, Jun 06 '18 at 15:15
Dear Jon, thanks for your response and your work on Ignite and JHipster! I got it to work (see question) — Samuel, Jun 07 '18 at 10:58

score 2 · Answer 1 · answered Jun 21 '18 at 09:17

despite you already found the correct solution, I should quickly explain why this is correct.

JHipster UAA supports two different authorization flows: user-to-service and service-to-service. The first one is the most commonly used. This is when you want to control what a user is permitted to do in your application.

A service-to-service call doesn't consist of any user related issue, as not the user is "logging in" but your microservice itself. That's why should add the config.

The stuff with copying the annotation interface from other apps into UAA is a little bad design. I'm considering to make a move of these annotations from generated code into the JHipster library to solve this.

score 1 · Answer 2 · answered Oct 25 '18 at 08:55

I found what was the problem regarding authentication and authorization between microservices, it took me three days to figure it out how to solve this. I was using the tag @AuthorizedFeignClient and due that I'm protecting the api resource using: @PreAuthorize("hasRole("" + AuthoritiesConstants.USER + "")"), I was not able to reach them through a feign client because @AuthorizedFeignClient just verify if the resource is authenticate or not (see config/SecurityConfiguration.java) but it wouldn't be able to reach the endpoint because the resource that I wanted to reach has another security layer which is that is protected by role (@PreAuthorize), so, in these cases we will need to use @AuthorizedUserFeignClient instead of @AuthorizedFeignClient.

The use about @AuthorizedUserFeignClient has not been documented by Jhipster yet, and it would be good idea to do it, see: https://www.jhipster.tech/using-uaa/#inter-service-communication

I hope this could help other people that has these kind of problems between inter-service-communication.

JHipster: How to make secure calls to microservices from UAA server with unauthenticated user

2 Answers2

Linked