spring-authorization-server
spring-authorization-server copied to clipboard
spring-projects
How-to: Use Spring Authorization server behind Spring Cloud Gateway
Publish a guide on How-to: Implement the core services behind Spring Cloud Gateway:
Kind remind guys. I will appreciate it if someone write me some configuration steps before official documentation is ready.
@rcbandit111 It will be a while before we get to this as there are a few higher priority tasks we need to work on first.
If someone in the community can help that would be great. cc @spencergibb
No additional configuration is required if it is only used behind a gateway. However, in the case of load balancing, spring session support is required, because the server uses session to associate authentication actions.
@salutonmondo I believe this issue is addressing using Spring Authorization Server behind Spring Cloud Gateway, whereas the sample you submitted treats SAS as an identity provider but does not route the requests to it. When we look more deeply at this issue, we'll have to think about what use cases make sense for putting SAS behind the gateway. One that I can think of, for example, is rate limiting to protect the authorization server or specific endpoints from malicious clients.
@salutonmondo Thanks for your demo, I added some comments there in your https://github.com/spring-projects/spring-authorization-server/pull/807, could you shed some light?
use database to share data between auth servers, this can reslove load balancing problem.
I once needed this, after some research, I found what I really need is how to use spring cloud gateway as resource server and verify token from this single point. Finally I managed to do this, and I don't think I need the auth server sit behind spring cloud gateway now. Here is my current demo architecture.
The benefit: I just verify token from spring cloud gateway and pass the resolved user id as http header to my downstream micro-services and all my microservices now don't even have a dependency on spring security.
I once used spring cloud gateway as oauth2 client, --- almost each tutorial on the internet do this, and I think that is too academic/complex and not feasible at all in a real large application.
I once needed this, after some research, I found what I really need is how to use spring cloud gateway as resource server and verify token from this single point. Finally I managed to do this, and I don't think I need the auth server sit behind spring cloud gateway now. Here is my current demo architecture.
The benefit: I just verify token from spring cloud gateway and pass the resolved user id as http header to my downstream micro-services and all my microservices now don't even have a dependency on spring security.
I once used spring cloud gateway as oauth2 client, --- almost each tutorial on the internet do this, and I think that is too academic/complex and not feasible at all in a real large application.
good advice,how scg do both verify token and then pass request ? use filter?
@zhenhe Yes, a single UserHeaderFilter will do the job, and here is an example: https://stackoverflow.com/a/71485398/2497876
I once needed this, after some research, I found what I really need is how to use spring cloud gateway as resource server and verify token from this single point. Finally I managed to do this, and I don't think I need the auth server sit behind spring cloud gateway now. Here is my current demo architecture.
The benefit: I just verify token from spring cloud gateway and pass the resolved user id as http header to my downstream micro-services and all my microservices now don't even have a dependency on spring security.
I once used spring cloud gateway as oauth2 client, --- almost each tutorial on the internet do this, and I think that is too academic/complex and not feasible at all in a real large application.
Hi. Can you make a sample repo? Many thanks.
