Using Predicate or Filter to choose a ClientRegistration for Login

Question

My problem is, that I have two different Keycloak realms and depending on which route you are going to, I need to authenticate against one of those, without needing to show the default login selection of Spring Security.

I've been grinding at this for days, and only now realised that, when requesting an authenticated path, filters and predicates from Spring Cloud Gateway are only executed once you are authenticated.

Because my idea is to either have a predicate or filter configured for a route ( in application.yml ), with a shortcut parameter. That shortcut parameter is written into the WebExchange session as an attribute during the predicate / filter, which a custom login controller can then read and decide what ClientRegistration to use.

Is there another way to achieve the goal from my first paragraph?

If not, how can I get Spring Cloud Gateway to run Predicates or Filters before redirecting to the AuthenticationEntryPoint? Not writing RouteLocator code. I wouldn't want to mix and match config via YAML and code. Smells only of trouble down the road.

Cheers, dscham

Answer 1

I found a way to do what I wanted.

It's not pretty. But what I did in then end was writing a Spring Security WebFilter that uses a RouteDefinitionLocator to get the configured routes. And get's the matching RouteDefinition from those.

On the route, I added a metadata entry, containing the client registration name. Which I write to a session attribute in the WebFilter.

Then I have a RestController which is redirected to for AuthenticationEntryPoint. In the Controller, I redirect to the authorization endpoint according to the client registration session attribute.

I'll post the code at a later point, as I'm on sick leave right now.