通过OAuth服务器通过带有Zool的Spring网关授权请求 [英] Authorizing requests through spring gateway with zool via oauth server
问题描述
我的应用程序在具有(zuul)代理的(spring)网关后面具有微服务.也有内部(春季)oauth2授权服务器.我想为外部微服务调用实现client_credentials授予类型-用于M2M通信.
My application has microservices behind (spring) gateway with zuul proxy. There is also internal (spring) oauth2 authorization server. I want to implement client_credentials grant type for my microservices calls from outside - for M2M communication.
当我在其应用程序中为网关client_id和client_secret配置时.yml请求通过网关发出,但没有请求者检查-oauth授权网关本身,因此根本没有任何授权.我可以使用授权码授予类型,但随后它需要Web客户端授权,而该用户可能没有(Web客户端)用户.
When I configure for the gateway client_id and client_secret in its application.yml requests come through the gateway but there is no requester check - oauth authorizes the gateway itself, as a result there is no authorization at all. I could use authorization code grant type, but then it would require web-client authorization which (web client) user might not have.
如果我从oauth微服务请求身份验证令牌,那么我将获得此应用程序的正确令牌.
If I request authentication token from the oauth microservice, I get correct token for this app.
如何强制网关使用请求者的client_id和client_secret从oauth获取令牌? -例如我可以通过标头提供它们作为基本授权. 还是可以将请求者从oauth获得的令牌提供给网关?
How can I force the gateway use the requester's client_id and client_secret to get token from oauth? - e.g. I can provide them as basic authorization via header. Or can I provide to the gateway the token obtained by the requester from oauth?
The question is very similar to another one: Implementing authentication and authorization using Zuul Proxy, Oauth2 on REST Microservices except the thing that there might be no web client, but an external microservice.
推荐答案
I have answered the question Implementing authentication and authorization using Zuul Proxy, Oauth2 on REST Microservices.
在我的情况下,最重要的是配置zuul代理以将授权标头转发到下游服务.最初,我考虑过使用zuul过滤器,但解决方案要简单得多-只需为zuul配置敏感标头即可:
In my case the most important thing was to configure zuul proxy to forward authorization header to downstream services. Initially I thought about using zuul filters, but solution was much simpler - just configure sensitive headers for zuul:
server:
port: 8080
zuul:
sensitiveHeaders: Cookie,Set-Cookie # <--- this line
routes:
spring-security-oauth-resource:
path: /spring-security-oauth-resource/**
url: http://localhost:8081/spring-security-oauth-resource
oauth:
path: /oauth/**
url: http://localhost:8083/spring-security-oauth-server/oauth
使用oauth成功验证客户端/用户的身份后,网关将把JWT令牌转发到下游. 当然,对于此网关,必须允许未经授权的访问oauth资源,并要求对所有其他资源进行身份验证.
After successful authentication of a client/user with oauth JWT token will be forwarded to downstream by the gateway. Certainly, for this gateway must allow unathenticated access to oauth resource and require authentication for all others.
有关主题的更多详细信息,请参见文章 https://www.baeldung.com/spring-security-zuul-oauth- jwt
More details on the topics can be found in the article https://www.baeldung.com/spring-security-zuul-oauth-jwt
这篇关于通过OAuth服务器通过带有Zool的Spring网关授权请求的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
