So, currently i have a front-end server, a bff( back end for front end server also named gateway ) , a resource server and the auth server.
The BFF is configured as java spring boot with spring oauth 2 client dependency.
Every oauth flow is done trought the BFF server. This BFF redirects to the front end user ( browser ) auth-server uris and endpoints . And after auth is successful then it stores the access and refresh token and then it fetches resources from the resource server.
On local everything is working, i have set up a custom domain "custom-domain" linked up to 127.0.0.1 in order to avoid localhost because of that redirect uri issue that doesn't allow you to specify "localhost" as a redirect uri.
Also, the BFF service has a context-path of /client in order to be different than the auth server and not have a clash on the cookies ( this is at least what i read idk if it is necesarily corect )
Now, i'm trying to deploy them in a kubernetes cluster on my local docker. All 4 services would be in the same cluster, and every one of them would be ClusterIp. Also a Ingress would be availbale to route traffic in the cluster.
I also have two custom domains:
However, the issuer-uri from the gateway ( the address to comunicate with the auth server inside the cluster) is set to auth-server ( kubernetes label) . So there are two communications:
And unfortunately, there is a issue, first of all when the auth.custom.com/oauth2/authorize?response_type/* will reach the auth server, an Invoking ExceptionTranslationFilter will apper in the logs , unlike on the local logs where Invoking OAuth2AuthorizationEndpointFilter (8/20) is taking place.
Can session/domain issues/topics be explained somewhow regarding the authorization server as well as kubernetes related stuff?
For example, can an auth server be inside the same cluster? should it be cluster, node port , load balancer? What session/domain issues can prevent auth workflow from working properly?
My BFF tutorial on Baeldung is deployed to a K8s cluster and one of the 3 authorization servers (a Keycloak instance) is hosted by the same cluster.
Authorisation server and BFF are configured completely separately: different namespaces, different ingresses and even different sub-domains (respectively oidc.c4-soft.com
and bff.demo.c4-soft.com
).
Also, the BFF is implemented with spring-cloud-gateway
configured as OAuth2 client and with TokenRelay
filter (like you are doing, apparently).
The ingresses are used only to route oidc.c4-soft.com
to the Keycloak service and bff.demo.c4-soft.com
to the BFF one. What to do with a request based on its path is determined with spring-cloud-gateway
configuration, just as when running outside of K8s.
Both resource servers (REST APIs) and front-end (Angular app) are served (and routed) based on a path prefix on the same host (and port), which greatly simplifies CORS configuration: requests have the same origin.