Spring cloud gateway + spring authorization server api call with postman with bearer token

Question

this is my spring cloud gateway config :

    registration:
      gateway-client:
        provider: auth-service
        client-id: coreInsurance
        client-secret: F1656E3D-FA7D-FE68-891F-24AFDB30BD1F
        authorization-grant-type: authorization_code
        client-authentication-method: client_secret_basic
        redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
        scope: openid,read
        client-name: gateway-client
    provider:
      auth-service:
        issuer-uri: http://localhost:8000
        userinfo-uri: http://localhost:8000/userinfo
        jwk-set-uri: http://localhost:8000/oauth2/jwks
        authorization-uri: http://localhost:8000/oauth2/authorize
        token-uri: http://localhost:8000/oauth2/token
        user-name-attribute: sub

and this is security config :

@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http, ReactiveClientRegistrationRepository repository) {
    if (ssl) {
        http.redirectToHttps(Customizer.withDefaults());
    }

    http.headers(headerSpec -> headerSpec
            .referrerPolicy(referrerPolicySpec -> referrerPolicySpec
                    .policy(ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy.NO_REFERRER_WHEN_DOWNGRADE)));

    http.csrf(csrf -> csrf
            .csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
            .csrfTokenRequestHandler(new ServerCsrfTokenRequestAttributeHandler()));

    http.authorizeExchange(authorize -> authorize.anyExchange().authenticated());

    http.oauth2Login(loginSpec -> loginSpec.authorizedClientRepository(authorizedClientRepository()))
            .logout(logoutSpec -> logoutSpec.logoutHandler(logoutHandler())
                    .logoutSuccessHandler(logoutSuccessHandler(repository))
                    .requiresLogout(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, 
    return http.build();
}


@Bean
public ServerOAuth2AuthorizedClientRepository authorizedClientRepository() {
    return new WebSessionServerOAuth2AuthorizedClientRepository();
}

@Bean
public ServerLogoutSuccessHandler logoutSuccessHandler(ReactiveClientRegistrationRepository repository) {
    var successHandler = new OidcClientInitiatedServerLogoutSuccessHandler(repository);
    successHandler.setPostLogoutRedirectUri(postLogoutRedirectUri);
    return successHandler;
}

and this is the route config :

spring:
  cloud:
    gateway:
      discovery:
        locator:
          enabled: true
          lower-case-service-id: true
      default-filters:
        - DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
        - TokenRelay
      routes:
        - id: person-service
          uri: lb://person-service
          predicates:
            - Path=/api/person/**
          filters:
            - RewritePath=/api/person/(?<path>.*), /$\{path}

when call the http://localhost:8060/api/agent/agent/types in the browser, user redirect to sso server and redirect back and everythings fine and the api called and response returned

but

my issue is that wanna call that api from postman with Bearer token

** imagine i have the bearer token from sso with another api call **

i think, i should load OIDC user and Principal from sso by bearer token in some way

but how ?

Answer 1

Requests are authorized with Bearer token only between the gateway (on routes with TokenRelay) and resource server(s). Upfront the gateway, requests are authorized with session cookies.

Two options for your Postman requests:

• you get a Bearer token from your authorization server and send direct requests to resource server(s) (for instance to person-service, without /api/person prefix)
• use Postman interceptor to get your browser cookie (after you logged in using it) and send the request to the gateway with this cookie (with /api/person prefix)