1

I used Spring Cloud Gateway 2021.0.2 and Spring Boot 2.6.6: gateway 3.1.2, session 2021.1, security 5.8 . My user resource is web, and I use gateway as an Oauth 2.0 client. This scheme actively uses the redirect mechanism. And it work great. enter image description here

  1.    GET HTTP:// ho299:8080/login  or  http://ho299:9000/users
    2.   GET   http://ho299:9000/oauth2/authorization/keycloak
    3.   POST http://kcloak:8080/realms/crm-test/protocol/openid-connect/auth?response_type=code&client_id=crm-app&scope=roles&state=0QkhBXSVB-  tlInqCXWUv2BnFodaWuqrABeiwmsRtPyk=&redirect_uri=http://ho299:9000/login/oauth2/code/keycloak
    4.   Login Form : Enter login and password
    5.  POST http://kcloak:8080/realms/crm-test/login-actions/authenticate?session_code=6wdxHqaU22101_3u2HnmmUyyzcP_nKSuTBeFXpu7G54&execution=a85ae60c-65af-460a-b7b2-720e3608ff52&client_id=crm-app&tab_id=GvMx7LSBHdQ
    6.  POST /realms/crm-test/protocol/openid-connect/token
    grant_type=authorization_code&code=0b3b268f-1567-4c6c-b91c-b0f866c8fcd7.da32c5a8-79d3-4b1b-8e9a-3aa35b44ff8b.504aaa05-a6e6-490b-8d83-ff00752f4e4f&redirect_uri=http%3A%2F%2Fho299%3A9000%2Flogin%2Foauth2%2Fcode%2Fkeycloak
    7.  Keep mapping session id  = access token  receiving by step 5 
    8.   GET http://ho299:9000/users  Session = Session ID (( Return SESSION=17c6eac9-c193-476f-bb58-f0dec3ba642c; Path=/; HttpOnly; SameSite=Lax))
    9.  GET http://ho299:9000/users  Session = 17c6eac9-c193-476f-bb58-f0dec3ba642c
    10. GET HTTP:// ho11:8181/users  Bearer AccessToken

My gateway application.yml :

spring:
  security:
    oauth2:
      client:
        provider:
          keycloak:
            issuer-uri: ${KEYCLOAK_URL:http://kcloak:8080}/realms/crm-test
            authorization-uri: http://kcloak:8080/realms/crm-test/protocol/openid-connect/auth
        registration:
          keycloak:
            provider: keycloak
            client-id: crm-app
            client-secret: J9fHivY3GtfVbfc1Y6dnznVCu7IChpGU
            scope:
              - roles

cloud:
   gateway:
      default-filters:
        - TokenRelay
        - SaveSession
   globalcors:
      corsConfigurations:
          '[/**]':
            allowedOrigins: "*"
            allowedMethods: "*"
            allowedHeaders: "*"     
   routes:
        - id: book-route
          uri: ${BOOK_SERVICE_URL:http://ho299:9002}
          predicates:
            - Path=/users/**

However, for mobile API this scheme does not work for me. How to setup gateway auth2 authentification as follows(through 'grant_type=password')?

enter image description here

    1) curl --location --request POST 'http://ho299:8080/login' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=crm-app' \
--data-urlencode 'username=so1' \
--data-urlencode 'password=so1' \
--data-urlencode 'grant_type=password'


2) Redirect to Keycloak. It authenticate cridentials.
3) Keycloak return access token and Gateway save it to session mapping
4) Returning session ID issuering by Gateway
5) Make request to resource /users adding Session Id
6) Downstream request to resource service with adding access token
max_b
  • 151
  • 2
  • 10
  • Any security aware person knows about security problems of Resource Owner Password flow. Why you don't use standard https://stackoverflow.com/questions/28176288/what-openid-connect-authorization-flow-to-authenticate-mobile-app-users ? You have wrong design if you need Resource Owner Password flow. – Jan Garaj Jul 20 '22 at 16:23
  • Have you already taken a look at https://datatracker.ietf.org/doc/html/rfc8252? This outlines an approach that is preferred over the password grant. In that case, the mobile app is the client and then you'd address the resource servers directly instead of trying to negotiate it through a session id. – jzheaux Jul 20 '22 at 17:54
  • Terms of user experience and usability in mobile app, redirect to external browser is not convenient. And, it may be technical problems, for example, missing browser in phone. Therefore, we chose the direct password transfer scheme. – max_b Jul 21 '22 at 03:37
  • @max_b password grant is definitely not recommended and exposes a lot of security concerns. We need to keep the in app browser for mobile authentication. However, were you able to find a solution ? I mean authenticating in a external web page while keeping the same session? – Houcem Berrayana Jun 16 '23 at 08:30

0 Answers0