spring-security-oauth2spring-oauth2spring-cloud-gatewayspring-cloud-security

OAuth2 Share Principal Object with Multiple Gateway Instances


I have integrated Spring Cloud Gateway with OAuth2 server. It works well with single instance gateway. here is my security config.

@EnableWebFluxSecurity
public class GatewaySecurityConfiguration {

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        http
                .authorizeExchange().pathMatchers("/user/v3/api-docs", "/actuator/**").permitAll()
                .anyExchange().authenticated()
            .and()
                .oauth2Login()
            .and()
                .csrf().disable();
        return http.build();
    }

But, When I scale gateway to 2 instances, some requests works expected, however some requests return 401.

    load balancer (kubernetes nodeport service)
       /    \
  gateway   gateway
       \    /
(microservice clusters)

When I logged in first instance of gateway, the principal object is created successfully and also assign session to redis. If next request comes to second instance, it returns 401 because it has not principal.

how can i solve this problem?

ps: i am using redis for web sessions to commonize session informations between gateways.


Solution

  • TL;DR

    You can share session principal information on Redis through WebSession. But you can't share access token(JWT), because they are stored in-memory at servers.

    Long Answer

    From Spring Cloud documentation (https://cloud.spring.io/spring-cloud-static/Greenwich.SR5/multi/multi__more_detail.html);

    The default implementation of ReactiveOAuth2AuthorizedClientService used by TokenRelayGatewayFilterFactory uses an in-memory data store. You will need to provide your own implementation ReactiveOAuth2AuthorizedClientService if you need a more robust solution.

    The first thing you know: When you login successfully, the access token(as jwt) is returned by oauth2 server, and server creates session and this session is mapped to access token on ConcurrentHashMap (authorizedClients instance InMemoryReactiveOAuth2AuthorizedClientService class).

    When you request API Gateway to access microservices with your session id, the access token(jwt) is resolved by TokenRelayGatewayFilterFactory in gateway, and this access token is set in Authorization header, and the request is forwarding to microservices.

    So, let me explain how TokenRelayGatewayFilterFactory works (assume that you use WebSession through Redis and you have 2 gateway instances and you logged in at instance-1.)

    Solution-1

    So, your requests should always go to the server where you are logged in to get valid access token.

    Solution-2

    InMemoryReactiveOAuth2AuthorizedClientService is only implementation of ReactiveOAuth2AuthorizedClientService. So, create new implementation that uses Redis, and then do it primary bean.

    @RequiredArgsConstructor
    @Slf4j
    @Component
    @Primary
    public class AccessTokenRedisConfiguration implements ReactiveOAuth2AuthorizedClientService {
    
        private final SessionService sessionService;
    
        @Override
        @SuppressWarnings("unchecked")
        public <T extends OAuth2AuthorizedClient> Mono<T> loadAuthorizedClient(String clientRegistrationId, String principalName) {
            log.info("loadAuthorizedClient for user {}", principalName);
            Assert.hasText(clientRegistrationId, "clientRegistrationId cannot be empty");
            Assert.hasText(principalName, "principalName cannot be empty");
    
            // TODO: When changed immutability of OAuth2AuthorizedClient, return directly object without map.
            return (Mono<T>) sessionService.getSessionRecord(principalName, "accessToken").cast(String.class)
                    .map(mapper -> {
                        return new OAuth2AuthorizedClient(clientRegistration(), principalName, accessToken(mapper));
            });
        }
    
        @Override
        public Mono<Void> saveAuthorizedClient(OAuth2AuthorizedClient authorizedClient, Authentication principal) {
            log.info("saveAuthorizedClient for user {}", principal.getName());
            Assert.notNull(authorizedClient, "authorizedClient cannot be null");
            Assert.notNull(principal, "principal cannot be null");
    
            return Mono.fromRunnable(() -> {
                // TODO: When changed immutability of OAuth2AuthorizedClient , persist OAuthorizedClient instead of access token.
                sessionService.addSessionRecord(principal.getName(), "accessToken", authorizedClient.getAccessToken().getTokenValue());
            });
        }
    
        @Override
        public Mono<Void> removeAuthorizedClient(String clientRegistrationId, String principalName) {
            log.info("removeAuthorizedClient for user {}", principalName);
            Assert.hasText(clientRegistrationId, "clientRegistrationId cannot be empty");
            Assert.hasText(principalName, "principalName cannot be empty");
            return null;
        }
    
        private static ClientRegistration clientRegistration() {
            return ClientRegistration.withRegistrationId("login-client")
                    .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
                    .clientId("dummy").registrationId("dummy")
                    .redirectUriTemplate("dummy")
                    .authorizationUri("dummy").tokenUri("dummy")
                    .build();
        }
    
        private static OAuth2AccessToken accessToken(String value) {
            return new OAuth2AccessToken(OAuth2AccessToken.TokenType.BEARER, value, null, null);
        }
    
    }
    

    Notes: