0

I'm creating microservices with spring boot using this tutorial

https://medium.com/omarelgabrys-blog/microservices-with-spring-boot-authentication-with-jwt-part-3-fafc9d7187e8

So I have actually 4 microservices:

  • eureka-server
  • gateway-service (with @zuulproxy)
  • auth-service
  • gallery-service

Following the tutorial linked, the scenario is:

I can, with success, register and login user on gateway-service using auth-service routes, obtain a jwt token. This token is used on gateway-service to invoke gallery-service routes.

The problem is that only gateway-service implements spring-security. So gallery-service doesn't use the same securityContext and I can't obtain the information about logged user in a gallery-service's controller.

Is this a valid solution or I have to use spring-security in each microservices? In this case, how use the same jwt given by auth-service, in all microservices?

On top this problem, there is the fusionAuth question. In the auth-service, db is simulated with a list. Instead of list, I have to call fusionAuth login API with username and password and get user's token and roles.

I'm new in spring-security world and in general in developing with microservices. Is all this a valid approach?

My purpose is create a mobile application with thousands of users, so I want to develop an efficient and secure way to login them and add more logic on other microservices based on user's role.

Thanks in advance for helping!

Fidelis
  • 91
  • 1
  • 11
  • There is a FusionAuth spring security library and example, is that what you're looking for? https://github.com/FusionAuth/fusionauth-spring-security https://github.com/FusionAuth/fusionauth-spring-security-example https://fusionauth.io/blog/2018/10/24/easy-integration-of-fusionauth-and-spring – robotdan May 02 '19 at 15:50
  • @robotdan yes, I've already tried, but it is different. This article explains the OAuth and OpenID Connect integration between FusionAuth and Spring Security. In my case this integration already works and I want to build an authentication between my microservices on top – Fidelis May 02 '19 at 17:05
  • Can you pass the JWT down to your microservice calls and then call FusionAuth's `/api/user` API to retrieve the user object? This might work since what you need specifically is the `user` object and all of the fields you are storing in FusionAuth. – voidmain May 02 '19 at 19:47
  • @BrianPontarelli Yes, I Can pass It down, but how bind my JWT token with a fusionauth user? – Fidelis May 02 '19 at 20:14
  • @Fidelis Do you mean how do you correlate the JWT with a FusionAuth user? The sub claim in the JWT is the FusionAuth User Id. If that is now what you're asking, can you expand on what you mean by bind the JWT token with FusionAuth user? – robotdan May 03 '19 at 16:49
  • @robotdan the user BrianPontarelli suggests to use the /api/user API , but I don't think it is possible because there are 2 different JWT token: one generate in my classes which validates every request on gateway-service and another one retrieved by fusionauth login API. I wanna just do a simple thing: authenticate each user in my microservices and do stuff with logged user. – Fidelis May 03 '19 at 18:10
  • Thanks @Fidelis, I think I understand what you'd like do, I am unclear what is keeping you from doing this. Can you perhaps edit your original question to provide a very specific question so we can better assist you? Thanks. – robotdan May 06 '19 at 16:56
  • @robotdan check my question now, thanks man – Fidelis May 07 '19 at 18:54
  • Thanks @Fidelis I think I understand. So the user logs in using Spring Security via FusionAuth. Then you want to make a request to `gallery-service` and have that service be able to validate the user and permissions? Whoever makes that request should send along the JWT. So in the linked tutorial, in the `JwtTokenAuthenticationFilter` the token is extracted from the request, using that value you can send it to another service. This is generally done in the `Authorization` header. The `gallery-service` can call FusionAuth to validate, or use JWKS (for example) to validate the token. – robotdan May 07 '19 at 22:09

0 Answers0