0

I have an API gateway in front of my Spring Boot app. This API gateway performs the oauth2 authentication and validation of the JWT token for me. My app receives the valid JWT token as HTTP header.

How can I combine this JWT token with the standard Spring security? I want to use the user groups passed in the JWT token for access control to my REST endpoints. And how can I avoid double validation of the JWT (on API gateway and service side)?

Improve this question

2 Answers 2

Reset to default
1

Configure Spring REST APIs secured with OAuth2 as resource-servers. Tutorials here.

This can be as simple as:

<dependency> <groupId>com.c4-soft.springaddons</groupId> <!-- replace "webmvc" with "weblux" if your app is reactive --> <!-- replace "jwt" with "introspecting" to use token introspection instead of JWT decoding --> <artifactId>spring-addons-webmvc-jwt-resource-server</artifactId> <!-- this version is to be used with spring-boot 3.0.0-RC1, use 5.x for spring-boot 2.6.x or before --> <version>6.0.4</version> </dependency> 
@EnableMethodSecurity public static class WebSecurityConfig { } 
com.c4-soft.springaddons.security.issuers[0].location=https://localhost:8443/realms/master com.c4-soft.springaddons.security.issuers[0].authorities.claims=realm_access.roles,ressource_access.some-client.roles com.c4-soft.springaddons.security.cors[0].path=/some-api
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Your example performs JWT validation against the identification server among other things, correct? How can I skip this? The JWT token has already been validated in the API gateway in an earlier step. To be precise, I actually only need the transfer of roles from JWT to Spring security.
If you want to avoid double validation, don't do it in gateway: just forward headers. JWT decoders implementation do perform validation too (which is an inexpensive task). It's going to be complicated to skip it. Also, keep things simple and have all of a resource access-decision at one place (and token validity is an important security check), preferably where you can unit-test it.
In our microservices mesh, we use different implementations of microservices in different programming languages. Therefore, authentication on the API side has its appeal. What do you say to the following approaches? Which one could lead to success? 1. implement a OnceRequetsFilter to get the JWT and then add it to the Spring Security filter chain. 2. overrides the JwtDecoder (JwtDecoders.fromIssuerLocation(...)) we a new behavior.
Whatever the language / framework, a REST API in the context of OAuth2 is a resource-server and should be able to decode JWTs (or introspect tokens depending on authorization-server configuration). It should also be able to take access decisions based on this tokens. If it's much easier to implement (and unit-test) that with Spring (as well as providing with data serialization, exception management, inter-service communication, monitoring, logging, tracing,... ) just use Spring and drop the rest.
0

If you can absolutely control that all interactions to your microservice will always be routed through API Gateway and if Gatway is the sole entity responsible for validation and verification of the JWT token,

  1. you can simply disable Oauth2 resource server configuration in your microservice app's security config and instead accept the verified JWT via an HTTP header.
  2. Possibly a custom security filter plugged into the security filter chain can then take the responsibilty of building an Authentication Token with it's authorities (GrantedAuthority) mapped to user groups in JWT.
  3. The authentication token can also be customized to include all the other relevant information extracted from JWT that your service will need to make any further authorization decisions.
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.