How to create Spring Cloud gateway filter to add client-credentials access token?

Question

I move from Spring Boot 1.5.20 to Spring Boot 2.1.4. I rewrite my application that was using Zuul and Spring security oauth to Spring cloud gateway and spring-security-oauth2-client.

I try to create spring cloud gateway filter to add JWT bearer token. I'm having issue to write the filter.

Here's the workflow

I've tried to use @RegisteredOAuth2AuthorizedClient but it didn't work with Spring cloud gateway filter. After, I tried oAuth2AuthorizedClientService and to UAA loadAuthorizedClient but there was no access token.

For the code, here's my github-repo!

I expect the Spring cloud gateway filter to add the header Authorization with the JWT Token.

Answer 1

You can create this filter:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.cloud.gateway.filter.GatewayFilter;
import org.springframework.cloud.gateway.filter.factory.AbstractGatewayFilterFactory;
import org.springframework.http.HttpHeaders;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.oauth2.client.AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;

import lombok.Getter;
import lombok.Setter;


public class Oauth2ClientGatewayFilter2 extends AbstractGatewayFilterFactory<Oauth2ClientGatewayFilter2.Config> {


    

    
    @Autowired
    private ReactiveClientRegistrationRepository clientRegistrations;
    
    @Autowired
    private ReactiveOAuth2AuthorizedClientService clientService;

    public Oauth2ClientGatewayFilter2() {
        super(Config.class);
    }

    @Override
    public GatewayFilter apply(Config config) {

        return (exchange, chain) -> {
            
            OAuth2AuthorizeRequest oAuth2AuthorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("myClient")
                    .principal("myPrincipal").build();

            
        
            
            ReactiveOAuth2AuthorizedClientManager manager =  new AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager(clientRegistrations,clientService);

            return manager.authorize(oAuth2AuthorizeRequest)
                    .map(client -> client.getAccessToken().getTokenValue())
                    .map(bearerToken -> {
                        ServerHttpRequest.Builder builder = exchange.getRequest().mutate();
                        builder.header(HttpHeaders.AUTHORIZATION, "Bearer " + bearerToken);
                        ServerHttpRequest request = builder.build();
                        return exchange.mutate().request(request).build();
                    }).defaultIfEmpty(exchange).flatMap(chain::filter);

        };


    }

    @Getter
    @Setter
    public static class Config {
        private String clientRegistrationId;
    }


}

and define your OAuth2 configuration in application.yaml:

spring:
  security:
    oauth2:
      client:
        registration:
          myClient:
            client-name: myClient
            client-id: amiga-client
            client-secret: ee073dec-869d-4e8d-8fa9-9f0ec9dfd8ea
            authorization-grant-type: client_credentials         
        provider:
          myClient:
            token-uri: https://myserver.com/auth/oauth/v2/token

You just ask the OAuth2 bearer access token to the ReactiveOAuth2AuthorizedClientManager and set its value in the Authorization header of current request.

Answer 2

This sample shows how to set up Spring Cloud Gateway with Spring Security OAuth2.