I'm having 2 services: service A (spring boot and openfeign for http client) and service B. My services are behind a gateway (APISIX), which is integrated with keycloak. Both services are configured OAuth2 to expose to public.
There is a use case, when a logged in user requests to service A, and service A requests to service B using openfeign. What is the proper way to pass OAuth2 credential to OpenFeign client when requesting to service B?
Thank you very much.
In the case you're on a resource-server and want to issue a request from that resource-server on behalf of the authenticated user, you should be able to
access the Bearer token from the Authentication instance in the security-context.
Default Authentication types are JwtAuthenticationToken for resource-servers with JWT decoder and BearerTokenAuthentication for those with introspection.
You can query directly the SecurityContext of the request:
final AbstractOAuth2TokenAuthenticationToken<? extends AbstractOAuth2Token> auth = (AbstractOAuth2TokenAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
final String bearerToken = auth.getToken().getTokenValue();
or have it auto-magically injected as @Controller method parameter:
@RestController
public class MyController {
@GetMapping("/reflect-bearer-token")
@PreAuthorize("isAuthenticated()")
public String reflectBearerToken(AbstractOAuth2TokenAuthenticationToken<? extends AbstractOAuth2Token> auth) {
return auth.getToken().getTokenValue();
}
First option (querying security-context) can be applied in a a feign RequestInterceptor to add an Authorization header with authenticated user Bearer to every request.