1

I have a set of services behind a zuul gateway, one of which is the auth server. I have it configured to parse the jwt with a jwk set from the auth server at /.well-known/jwks.json for users on each service with a password grant to access simple endpoints, but i'm wondering if it's possible to decide on a case by case basis which controllers and endpoints are using the user's access token vs using the service's client credentials when those services have to call other services. for example: I have a contact service that manages customers, and another service that manages inventory. When a user wants to see which customers are interacting with which inventory, i'm able to use an OAuth2RestTemplate to call the other service like so

@RequestMapping("/sales/{id}")
public Map<Object, Customer> getSales(@PathVariable Long customerId) {
  Object inventory = restTemplate.getForObject("http://inventory-service/inventory", Object.class);
  Customer customer = repository.findById(customerId);

  Map<Object, Customer> sales = new HashMap;
  sales.put(customer, inventory);
  return sales;
}

I'm getting a 500 response A redirect is required to get the users approval even though i've tried configuring the Customer service to use client credentials flow instead of authorization code flow.

the security settings for the customer service:

security:
  oauth2:
    resource:
      jwk:
        key-set-uri: ${GATEWAY:http://localhost:8762}/.well-known/jwks.json
    client:
      client-id: first-client
      client-secret: noonewilleverguess
      access-token-uri: ${GATEWAY:http://localhost:8762}/oauth/token

with the main class annotated with @SpringBootApplication, @EnableGlobalMethodSecurity(prePostEnabled = true), and @EnableResourceServer.

here's some more configuration for context

@EnableWebSecurity
public class SecurityConfig extends ResourceServerConfigurerAdapter {
  @Override
  public void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().authorizeRequests().anyRequest().permitAll();
  }

  @LoadBalanced
  @Bean
  public OAuth2RestTemplate restTemplate(OAuth2ClientContext clientContext,
                                         OAuth2ProtectedResourceDetails resourceDetails) {
      return new OAuth2RestTemplate(resourceDetails, clientContext);
  }

the documentation suggests that @EnableOAuth2Client isn't necessary when exposing the OAuth2RestTemplate so i have omitted that annotation.

Ideally i'd like to be able to pick and choose which requests use the user's access token and which requests use the service's client credentials, but i haven't found any resources that do so. Is it even possible?

NotTim
  • 11
  • 3

0 Answers0