How do I properly make a OAuth2 request from the gateway when the incoming request is not authenticated and doesn’t have an access token or the access token wouldn’t work for the downstream request?
I need to make OAuth2 client from the gateway service that’s using Spring Cloud Gateway and Spring Security. Let’s say for /permit-endpoint in the gateway, I need to call another service that’s authenticated with OAuth2 and return that response. The endpoint /permit-endpoint is permitted without authentication for now in the gateway (the gateway should also act as a resource server in the future). Also, even if the incoming request did have the access token it wouldn’t work for the downstream OAuth2 call as those would two different configurations. So, I need to make a call to the token endpoint with correct credentials from the gateway, get the access token, attach it to the request and then call the other service and return back the response. My configuration looks like this:
security:
oauth2:
resourceserver:
jwt:
issuer-uri: <issuer-uri>
jwk-set-uri: <jwk-set-uri>
client:
registration:
sample-client:
client-id: <client-id>
client-secret: <client-secret>
authorization-grant-type: client_credentials
scope: <scope>
provider:
sample-client:
token-uri: <token-uri>
cloud:
gateway:
default-filters:
- DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
- AddResponseHeader=Access-Control-Allow-Origin, *
routes:
- id: getObjects
uri: https://sample.url.com
predicates:
- Path=/getObjects/**
filters:
- RewritePath=/getObjects(?<segment>.*), /sample-api/sampleurl/sampleservice${segment}
- TokenRelay=sample-client
This gives me an error from the downstream service saying * You are not authorized to access this API.* which probably means that the token is not getting added properly to the downstream request. I saw that token relay doesn’t work if there’s no token in the incoming request so I made a filter to make the token call and mutate the request to add the token as an Authorization header. I modified the above configuration as follows:
filters:
- RewritePath=/getObjects(?<segment>.*), /sample-api/sampleurl/sampleservice${segment}
- OAuth2GatewayFilter
OAuth2GatewayFilter:
@Component
public class Oauth2GatewayFilter extends AbstractGatewayFilterFactory<Oauth2GatewayFilter.Config> {
private final ReactiveOAuth2AuthorizedClientManager authorizedClientManager;
public Oauth2GatewayFilter(ReactiveOAuth2AuthorizedClientManager authorizedClientManager) {
super(Config.class);
this.authorizedClientManager = authorizedClientManager;
}
@Override
public GatewayFilter apply(Config config) {
return (exchange, chain) -> {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("sample-client")
.principal("dummy")
.build();
return authorizedClientManager.authorize(authorizeRequest)
.flatMap(client -> {
ServerHttpRequest request = exchange.getRequest().mutate()
.header("Authorization", "Bearer " + client.getAccessToken().getTokenValue())
.build();
return chain.filter(exchange.mutate().request(request).build());
});
};
}
public static class Config {
}
}
This doesn’t work as well as it just gives me 200 OK with no response. I am getting a null authorizedClient.