Reputation: 1809
AWS api gateway with oauth2 and spring security
I have aws api gateway in front. with api gateway to direct http endpoint of ALB(Application load balancer) passthrough.. And ECS fargate as ALB target group. I have 3 microservices developed in spring boot.
Now I want to integrate oauth2 and spring security for my rest APIs. How to integrate it with aws api gateway? I am not using lambda and don't want to use aws cognito.
what is architecture and how can I integrate aouth2 with multiple microservices?
Upvotes: 4
Views: 4360
Answers (1)
Reputation: 139
not sure if you are asking how to use spring security to secure your microservices or (if you already have spring security configured) then how to configure AWS API Gateway to authenticate requests using Spring Security before invoking your microservices. But I will try to cover both in my short answer below.
To secure your AWS API Gateway endpoints, you will need to use AWS Lambda Authorizer to achieve what you are after. Here is the documentation you need (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html). You don't have to use AWS Cognito to implement API Gateway security. The Lambda Authorizer you create can authenticate requests based on any library or framework or model you already have implemented in your microservices.
In my answer, I am making the following assumptions:
- I assume that you already have Spring Security configured to protect your microservices (if not, this link provides a good tutorial on how to do this https://dzone.com/articles/spring-security-with-oauth2).
- I am also assuming here that you successfully generating the OAuth token from Spring Security and your API clients are sending this in the Authorization header as a bearer token.
In a nutshell, Create a Lambda Authorizer using Java (follow the tutorial in the first link) The idea is that you specifiy the HTTP Header that includes the OAuth bearer token (typically this is the 'Authorization' header). Then you configure your API Gateway endpoint to pass this header to your Lambda Authorizer. Once the Lambda Authorizer function receives the header, it can then use Spring Security library to validate the bearer token (see the second link above on how this is achieved). If the bearer token was successfully validated, then the output of the Lambda authorizer must be a policy document (see this link https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-lambda-authorizer-output.html) that tells the API Gateway wheather to allow the request or deny it.
From an Architecture perspective, it is much cleaner to implement your microservices as individual Lambda function (if possible) and then secure them using API Gateway Lambda Authorizer as descirbed above.
I hope this gives some guidance to you on how to go forward.
Upvotes: 4
Related Questions
- Spring Cloud Gateway + Spring security resource server
- OAuth2 flow for Gateway + Backend Service
- Spring Cloud Gateway with new Spring Security Oauth2 and Cognito
- use spring cloud gateway with oauth2
- Spring Cloud Gateway OAuth2 with Spring Security OAuth2 Authorization Server = loop
- How to Use AWS Cognito without using API Gateway for Custom Spring REST API Authorization
- Authentication between microservices: Amazon API Gateway
- Authentication for a publicly exposed REST endpoint
- Authentication and Authorization for API Gateway
- How to set up an OAuth2 Authentication Provider with AWS API Gateway?