在REST微服务上使用Zuul Proxy，Oauth2实施身份验证和授权 [英] Implementing authentication and authorization using Zuul Proxy, Oauth2 on REST Microservices

问题描述

我正在尝试使用Spring Boot在工作流中实现上述架构.

I am trying to implement the above architecture in the workflow with Spring Boot.

• Web客户端通过Zuul代理向资源服务器(微服务端点)发出请求.
• Zuul代理重定向到oauth2服务器进行身份验证.
• 如果请求已通过身份验证，则Oauth2重定向到Zuul代理.
• 如果未通过身份验证，Zuul将使用未经身份验证的响应重定向Web客户端.
• 如果已通过身份验证，则Zull代理将重定向到请求的微服务端点.
• 微服务端点检查用户是否被授权(用户级别访问)访问资源.
• 微服务还可以在内部调用其他微服务.
• 最后，请求的资源被发送回客户端.

我想确保我遵循正确的工作流程.

I want to make sure I am following the correct workflow.

我想知道是否有解决方案实现了类似的微服务API安全保护.

I would like to know if there is any solution which has implemented a similar kind for securing microservices APIs.

我对以下问题感到困惑

• 我们如何将用户详细信息传递给微服务，以便微服务可以进行自己级别的用户授权?
• 是否应将OAuth2访问令牌标头传递给每个微服务，以便微服务可以分别验证令牌?
• 每个微服务是否都应使用秘密凭据来验证访问令牌，以使令牌不能沿着请求链伪造?

我知道这是一个冗长的问题.但是我还没有找到上述架构的合适解决方案.

I know its a bit of lengthy question. But I have not found a proper solution to above architecture.

推荐答案

不幸的是，我没有完整的答案，只有部分内容:

Unfortunately, I don't have complete answer, only some parts:

一旦JWT令牌可用于zuul代理，那么每个微服务都可以通过配置其资源服务器来授权请求​​，例如

Once JWT token is available to the zuul proxy then every microservice can authorize requests by configuring its resource server, e.g.

 @Override
  public void configure(HttpSecurity http) throws Exception {
    http
        .authorizeRequests().anyRequest().access("#oauth2.hasScope('microserviceA.read')").and()
        .csrf().disable()
        .httpBasic().disable();
  }

范围可以由oauth微服务与数据库一起管理-基于客户端凭据，它将获取范围信息并编码为JWT令牌.

Scopes could be managed by the oauth microservice with a database - basing on the client credentials it will take the scopes info and encode into JWT token.

我目前不知道的是-如何使zuul代理使用"Web客户端"凭据通过oauth授权自己-我不想对zuul代理凭据进行硬编码，因为那时Web-客户信誉将不会被使用.

What I don't know at the moment - how to make the zuul proxy to use "web client" credentials to authorize itself by the oauth - I don't want to hard-code zuul proxy credentials because then the web-client creds won't be used.

我刚刚在这个主题上发布了类似的问题: 通过带有oauth服务器的Zool通过spring网关对请求进行授权

I've just posted similar question on this topic: Authorizing requests through spring gateway with zool via oauth server

更新: 我发现了几乎描述此配置的文章(没有eureka，但从我的经验来看并没有增加太多复杂性):

update: I've found article describing almost this configuration (without eureka, but it doesn't that add much complexity from my experience): https://www.baeldung.com/spring-security-zuul-oauth-jwt, there is github project with source code. The source code is unfortunately not polished as it's being used by the author for his commercial courses. But I've managed to build from his examples working set.

总结:在所描述的体系结构中，每个资源服务器(微服务A，B，..)都从请求客户端接收由zuul代理/网关转发的JWT令牌.令牌在请求标头中转发.如果没有提供有效令牌，则网关会将请求重定向到授权页面. 此外，每个资源服务器都可以使用oauth服务检查令牌，如果需要，请按照我上面的描述进行作用域检查.

Summary: in the described architecture every resource server (microservice A, B, ..) receive JWT token forwarded by the zuul proxy/gateway from the requesting client. The token is forwarded in a request header. If there is no valid token provided then the gateway will redirect the request to authorization page. Also every resource server can check the token with the oauth service and if required do scope checking as I wrote above.

这篇关于在REST微服务上使用Zuul Proxy，Oauth2实施身份验证和授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！