1

This is an architecture question. I want to implement an application that processes two kinds of users (admin and clients). Each role can register in the following ways:

  • admin: username/password registration
  • client: Facebook/Google/username&password registration

Based on the user's role each of them has a specific action to which he's authorized.

From a technology stack, I want to use Java 8, Spring Cloud Netflix and later on Docker and Kubernetes (in order to have auto-heal and auto-scale).

I've implemented Eureka discovery, Config server, Zuul Gateway and I have two microservices for each role (to get me started). I don't know at all how to approach the user's authentication/authorization, from what I see Spring Security 5 is no longer supporting Authorization server and I am supposed to use Keycloack? Should the gateway be the authorization server or should I create another component that is responsible for authentication? What do I use, how to implement, how to approach redirection between my authorization server and the business microservice?

I can't really find a proper documentation that uses username/password, social login and Spring Cloud Netflix, together with Spring Security 5.

2dor
  • 851
  • 3
  • 15
  • 35
  • 1
    These days, there are several Authorization Servers to pick from, including Keycloak. However, the Spring Security team has hinted that they may reconsider their decision: https://github.com/spring-projects/spring-security/issues/6320#issuecomment-609978171 – jzheaux Apr 10 '20 at 22:09

2 Answers2

1

Your gateway shouldn't be responsible for handling authentication.

One possibility is using the cas project. It can run as a micro service to handle the whole authentication process. It can handle multiple auth methods like database (for username / password) and social media like Google or Facebook.

It comes with a basic setup having a login page and a configured DockerFile. You can customize everything. Just add the related dependency and add the config in the application.properties. You can customize the frontend.

https://apereo.github.io/cas/6.1.x/planning/Getting-Started.html

By the way: if you use kubernetes you don't need a gateway or service discovery with eureka. Kubernetes does this for you.

Chris
  • 5,109
  • 3
  • 19
  • 40
  • Thank you for introducing me to CAS. Only gateway should register to CAS or every microservice? How is the session saved between multiple rest calls to different services (I don't want the user to login on any new request that uses a different service) ? – 2dor Apr 12 '20 at 06:12
  • I have solved the by using jwt. After log in cas sends me a token that I store in the browsers localStorage. The microservices use spring security 5 to check if the token is invalid or expired. – Chris Apr 12 '20 at 07:02
  • Sorry not in a public repository. If the answer was helpful please consider accepting/upvoting. Thanks! – Chris Apr 13 '20 at 08:52
1
  1. For api security, after moving to #Kubernetes, you can use Envoy or similar solution
  2. For authentication and authorisation, you need an identity management system (like #Okta or PingFederate or an open source version like #OpenIAM) and then integrate using Spring & OAUTH2.
Ankur Kumar
  • 104
  • 5