Reputation: 83
Use OAuth2 for authorization of session-authenticated users
I'm developing a microservices application that has to authenticate users against an external Identity Provider using SAML2 protocol.
The architecture
The idea is to use a SPA running in the browser which only talks to the API Gateway and uses Cookies for authentication.
The gateway delegates the Authorization Server to check if each request is authenticated and initialize the SAML2 login if not.
Once the user authenticates, the Authorization server initializes a session and sends back the cookie straight to the browser.
The Authorization Server is actually an OAuth2 Auth Server as well as a SAML2 Service Provider.
For every request coming after the user authenticated, I want internal communications to use OAuth2.
Frameworks used
For the authorization server I'm using the Spring Authorization Server package as well as SAML2 Service Provider libraries of Spring Security.
Resource services would use Spring Boot OAuth2 Server library.
What's working
I managed to set up the SAML2 client so that the Authorization Server is already generating a Session for the user after IdP authentication and I'm capable of reading the authenticated principal.
The problem
For the upcoming requests I want the API Gateway to perform a token replacement by exchanging the Cookie for an OAuth2 access token before forwarding these requests to resource services. Each resource service will then validate these tokens against the authorization server.
What I'm trying to achieve here is to make the API Gateway as a Backend-for-Frontend but the I'm struggling to figure out which authorization flow to use given that:
- the client is the API Gateway, so it can be considered confidential
- user credentials are missing as they are provided to an external IdP and the principal comes from a SAML Response
- the authorization server has already estabilished a session for the user
Basically I can't figure out how to exchange the JSessionID for an authorization code.
Any ideas?
Upvotes: 1
Views: 1066
Answers (1)
Reputation: 12754
You should not bother about the authentication-code, the BFF (gateway configured as OAuth2 client) should receive it and exchange it for tokens (access, ID and refresh) during login process and store those in session (which should be activated along with CSRF protection).
When requests land on the gateway, session is replaced with Bearer access-token (kept in session) before being forwarded to resource-server. This behavior is activated with the tokenRelay filter in route properties.
This is frequently referred to as BFF pattern and I created a tutorial for that on Baeldung.
Upvotes: 3
Related Questions
- My Eclipse console display terrible characters since I switched to Logback ? (Spring boot project)
- spring boot logs strange square brackets
- spring boot application showing ??? characters instead of unicode
- Spring Boot encoding / special characters
- Spring Boot logger new-line character
- spring boot commandline runner is using windows default character encoding
- Spring Boot UTF-8 encoding issue. I suspect it tries to encode ISO-8859-1 to UTF-8
- Strange character appearing after doing UTF-8 Base64 Encoding/Decoding Java
- Encoding Issues - I think UTF-8 is being treated as ISO-8859-1
- Character-encoding problem spring