I am working on some microservices generated with JHipster 6.1.0, which use the JHipster UAA server for authentication.
The project consists of the following microservices:
- gateway
- UAA server
- publicMicroservice (microservice which allows unauthenticated access to /api/)
- restrictedMicroservice (microservice which should only be accessible to publicMicroservice)
I am trying to perform requests from publicMicroservice to restrictedMicroservice using an AuthorizedFeignClient.
This works as expected when I leave SecurityConfiguration in restrictedMicroservice like this .antMatchers("/api/**").authenticated()
and use the default client-id and client-secret in application-dev.yml of publicMicroservice
security:
client-authorization:
access-token-uri: http://uaa/oauth/token
token-service-id: uaa
client-id: internal
client-secret: internal
However I would rather have publicMicroservice authenticate as a custom user with a custom role ROLE_MYMICROSERVICE because just using .authenticated() also allows regular logged in users to access the resources of restrictedMicroservice.
Therefor I created a new user "mymicroservice" with the same password hash as the admin user and the custom role in the UAA .csv files. I changed the application-dev.yml of publicMicroservice as follows:
security:
client-authorization:
access-token-uri: http://uaa/oauth/token
token-service-id: uaa
client-id: mymicroservice
client-secret: admin
and SecurityConfiguration in restrictedMicroservice like this:
// .antMatchers("/api/**").authenticated()
.antMatchers("/api/**").hasAuthority("ROLE_MYMICROSERVICE")
Now apparently authentication fails in the UAA server, which claims that the credentials are bad.
2019-07-12 17:39:17.638 DEBUG 29485 --- [ XNIO-1 task-56] c.m.myapp.aop.logging.LoggingAspect : Enter: com.mycompany.myapp.repository.CustomAuditEventRepository.add() with argument[s] = [AuditEvent [timestamp=2019-07-12T15:39:17.638Z, principal=mymicroservice, type=AUTHENTICATION_FAILURE, data={details=org.springframework.security.web.authentication.WebAuthenticationDetails@ffffa64e: RemoteIpAddress: 192.168.1.111; SessionId: null, type=org.springframework.security.authentication.BadCredentialsException, message=Bad credentials}]]
I made sure that the credentials work in the gateway webApp so I can rule out typos. As the JHipster documentation doesn't go into much detail about how the client-id and client-secret is used, I am now stuck and don't known how to tackle the problem.
I created Github repositories (see links above) to reproduce the problem and would be very grateful if someone could give me a hint what I'm doing wrong.
