Spring Boot Oauth2 SSO with wso2 identity server using zuul as api-gateway with consul service discovery

Question

We are trying to do a POC in which we are using wso2 identity server as an Oauth2 auth server and we are using ZUUL as API gateway

zuul proxy service

@EnableZuulProxy
@EnableOAuth2Sso
@SpringBootApplication
public class ApiGatewayApplication {

    public static void main(String[] args) {
        SpringApplication.run(ApiGatewayApplication.class, args);
    }
}

application.properties

security.basic.enabled=false
security.oauth2.client.accessTokenUri=https://172.16.0.102:9443/oauth2/token
security.oauth2.client.clientId=erX25bMjkEwIS7ZDxP5vYRM1r5Ya
security.oauth2.client.clientSecret=A2kDWZ_WVProSgf2TuNE15jy8Oga
security.oauth2.client.userAuthorizationUri=https://172.16.0.102:9443/oauth2/authorize
security.oauth2.client.preEstablishedRedirectUri=https://172.16.0.42:8900/resource/greeting
security.oauth2.client.useCurrentUri=false
security.oauth2.resource.userInfoUri=https://172.16.0.102:9443/oauth2/userinfo
security.oauth2.resource.preferTokenInfo=false
server.port=8900
spring.application.name=ZUUL
zuul.ignoreLocalService=false
server.ssl.key-store=wso2carbon.jks
server.ssl.key-store-password=wso2carbon
server.ssl.keyStoreType=jks
security.oauth2.client.grantType=authorization_code

zuul.routes.resource.path=/resource/**
zuul.routes.resource.url=https://localhost:8090

now we are facing 2 problems

1. we are not able to integrate CONSUL and ZUUL service, my service is able to register with CONSUL but when I add @EnableZuulProxy to my service is not able to connect to consul it throws an exception

   com.ecwid.consul.transport.TransportException: java.net.ConnectException: Connection refused: connect

2. we are able to redirect to wso2 IS's login page now when we try login it tries to redirect me back to call back URL but my browser is not able to get an access token and it says too many redirects. I am not able to understand, is it because of my configuration or anything else. I tried to clear my history as suggested when I googled it but it's not working

if anybody have any idea about this please help.....

Answer 1

whatever Kenny has suggested is valid but in our case, we were facing redirect loop issue because we were using self-signed certificate when we installed the certificate in trust store it worked!!! also some modification in properties were needed for wso2 that we came to know after installation of certificates

security:
  oauth2:
    client:
      clientId: fdrfsdgersdgdrf
      clientSecret: dsgardgdfgadfgad
      accessTokenUri: https://localhost:9443/oauth2/token
      userAuthorizationUri: https://localhost:9443/oauth2/authorize
      clientAuthenticationScheme: form
      scope: openid
      use-current-uri: true
    resource:
      userInfoUri: https://localhost:9443/oauth2/userinfo?schema=openid
spring:
  resources:
    chain:
      enabled: true

server:
  ssl:
    key-store: localhost.pfx
    key-password: localhost
    key-store-type: PKCS12

    trust-store: localhost.pfx
    trust-store-password: localhost
    trust-store-type: PKCS12
  port: 8080

I have solved my first issue by changing dependency in POM

Before

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-consul-all</artifactId>
</dependency>

After

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-consul-discovery</artifactId>
</dependency>

Answer 2

I think what may be happening for your 2nd problem is that the OAuth2 authorization/resource server is caught in a redirect loop with the gateway.

Your login successfully redirects you to your /resource/greeting page, which I assume is a protected resource. The gateway is then unable to validate your token and redirects you back to login (which has your session already validated, and it redirects you back).

You need to determine for what reason the gateway can't validate the token. There are a few things you can try, which can reveal the underlying issue.

The first thing is to try validating the token using CURL commands. After you retrieve a valid token from the auth server, add the bearer token to your request header when getting a protected resource, like https://172.16.0.42:8900/resource/greeting or https://172.16.0.102:9443/oauth2/userinfo.

If you can validate the token using CURL, you know you've got things setup correctly and that your gateway should be able to call back to the resource server to get the authenticated user's info. If this is the case, then you can diagnose the issue in the gateway application.

At this point, one possibility might be related to an invalid CSRF token. I've put an example together that is similar to what you'd like to do and have disabled the CSRF token. Disabling CSRF in the gateway is just for diagnosis purposes, and not recommended as a long term solution.

https://github.com/kbastani/spring-cloud-event-sourcing-example/blob/master/edge-service/src/main/java/demo/EdgeApplication.java#L28

There are also some issues with your configuration on your Zuul gateway. You seem to be routing /resources/** to https://localhost:8090. If I'm correct in assuming, because of this you're not securing the services you're proxying to from the gateway. It's recommended that your backend services dictate which of its resources are protected, so that the gateway can serve both protected and unprotected API resources.

See the configuration in this example:

https://github.com/kbastani/spring-cloud-event-sourcing-example/blob/master/edge-service/src/main/resources/application.yml#L38

As for your first issue, I don't have a good answer. I suspect that the default connection URL to Consul is changed for the case where you add @EnableZuulProxy. I would breakpoint your application in the Consul configuration properties class. See here:

https://github.com/spring-cloud/spring-cloud-consul/blob/master/spring-cloud-consul-discovery/src/main/java/org/springframework/cloud/consul/discovery/ConsulDiscoveryProperties.java