Matthias Kopeinigg
Reputation: 11
Spring OAuth2 flow with azure-ad
Current setup:
- Frontend (Angular)
- Reverse Proxy (Nginx)
- BFF (Spring Gateway & Spring OAuth2 Client)
- IDP (Azure AD)
- Resource Server (Spring Resource Server)
I'm currently stuck with the oauth2 flow with azure-ad (login.live.com).
This is how my flow currently looks:
The Problem
The probem that i now have, is that the resource server can't handle the access-token (opaque Token) since azure doesn't have a Introspect endpoint to validate the access-token (https://login.live.com/.well-known/openid-configuration).
Possible solution
One way would be, to send the id_token down the stream (to the resource server), but that shouldn't be that way if i'm not wrong. I'm also not sure if spring is supporting that.
Create a custom jwt for the communication between the bff and resource server. (A lot of efford)
Let the BFF handle the authentication entirely (inside the same k8s cluster). Would work, but some security concerns (Request Spoofing)
Upvotes: 0
Views: 71
Answers (0)
Related Questions
- What's the difference between @Component, @Repository & @Service annotations in Spring?
- OAuth2 token introspection for each service request?
- What is the purpose of the implicit grant authorization type in OAuth 2?
- Spring Security: mapping OAuth2 claims with roles to secure Resource Server endpoints
- Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
- OAuth2 flow from resource server to another
- Spring Security against Azure OIDC OAuth2 Flow
- Spring Security OAuth2 pure resource server
- Spring Security Oauth2: Flow to Handling Expired AccessToken