We have Api gateway in front of auth-provider and microservices(resource servers).
In this architecture, we don't need to get the JWT by authorization_code grant type and fire two calls as we don't have external oauth clients and only client is the gateway.
There is a sample app implemented by Joe Grandja for implementing oauth with cloud spring and Api-Gateway. That is awesome but, it is working based on web-session and authorization_code grant-type.
What it means is, stateful pattern, between browser and Gateway we have JSESSIONID and active server side session in the gateway and using the session between Gateway and Auth-Provider(UAA) to store Authorization Request to get code and then token.
I don't know what is the point here to have active sessions and use authorization_code when both auth_provider and its client (gateway) are in the same domain.
The design I am thinking, is based on fully stateless pattern. Browser or mobile apps should send token for each request in the header. We get rid of cookie based authentication and CSRF could be disabled and ... also gateway doesn't need to allocate memories for session objects. We can have multiple Auth-provider instance with single Gateway if we want and etc.
There shouldn't be any problem to implement this from scratch, but I am wondering if Spring OAuth2 support implicit grant type when we are using:
NoOpServerSecurityContextRepository.getInstance()
The default SecurityContextRepository in the Spring is WebSessionServerSecurityContextRepository and in the sample app that I mentioned above, when I changed this to NoOpServerSecurityContextRepository I am getting exception because grant type is 'authorization_code' and spring needs to store request in the session.
So, I am looking to find a implementation for implicit grant type in spring.
Thanks,
