Implementing OIDC with Authorization Code Flow on API Gateway using Keycloak as SSO provider
I'm planning to implement an architecture where:
The API Gateway interacts with multiple services and a Vue.js frontend application. The API Gateway creates its own sessions linking user requests to stored tokens. The frontend uses session cookies to communicate with the API Gateway. Authentication is handled through Keycloak as the SSO provider. The goal is to keep the frontend unaware of the actual token, while maintaining security and flexibility.
Source of inspiration: https://medium.com/@a.zagarella/microservices-architecture-a-real-business-world-scenario-c77c31a957fb
The article describes the use of Spring Cloud Gateway, but in my case it will be api gateway on golang.
Example of an authentication flow in this scenario
Example of a request for access to protected resources on a Resource Server:
What are some best practices for implementing this kind of setup? Are there any potential pitfalls I should be aware of?
This approach seems similar to what's described in the linked article, but I'd like to get more insights on how to implement it effectively.
Please provide guidance on:
How to securely store and manage tokens on the API Gateway Best practices for session management between frontend and API Gateway How to handle token refresh and expiration Any security considerations I should keep in mind I'm particularly interested in how to balance security, ease of use, and scalability in this architecture.
Thank you for your expertise!
This approach of storing tokens in the gateway (configured as an oauth2Client with oauth2Login) and replacing cookie-based authorization with Bearer-based one while routing requests to downstream resource servers (using the TokenRelay filter) is frequently referred to as "OAuth2 BFF" (Backend-For-Frontend).
I wrote an article for that on Baeldung. It contains all implementation details and a sample Vue application (along with Angular and React ones).
About scalability, as mentioned in the article, you should consider using Spring Session (share session data between gateway instances using Redis or similar).
Regarding tokens refreshing, the TokenRelay filter and Spring Security will handle this for you.
Once the BFF is correctly configured, the frontend uses just the "standard" session cookie and CSRF token it should be familiar with, and downstream services are standard resource servers. So, nothing complicated on either side. However, there is one pitfall in the case of Vue which does not handle the CSRF token transparently (like Angular does for instance). So, you'll have to write some code (a request interceptor?) to read the XSRF-TOKEN cookie value and set it as X-XSRF-TOKEN header for all POST, PUT, PATCH, and DELETE requests to your backend.
- Implementing OIDC with Authorization Code Flow on API Gateway using Keycloak as SSO provider
- Spring Cloud Gateway Getting a 500 Exception while trying to refresh_token using expired access_token and refresh_token
- Microsoft Entra ID Oauth2 Client Credentials and Group claims
- JWT refresh token flow
- AADSTS70000 Error When Requesting for Access Token
- Avoid instantiating multiple objects ReactJS + Vite
- ZOHO CRM Not getting refresh token in response
- FastAPI OAuth2 with ForgeRock: SSL Certificate Verification Issue
- How to authorize OpenAPI/Swagger UI page in FastAPI?
- Identity Server 4 - Unable to authenticate user
- How to verify a token received from chrome.identity.getAuthToken() in the backend?
- Getting no access_token but id_token from Google OAuth2
- Need admin approval unverified needs permission to access resources in your organisation that only an admin can grant
- Getting a token from Microsoft Intra ID with PostMan using MFA
- Freshdesk OAuth SSO: Freshdesk Login Page Doesn't Ping My Auth Page?
- Azure OAuth2: can't validate access token
- Export a Google Sheet to PDF file with Python requests
- Are auth code and access token exclusive to a single resource owner?
- How to access an API with an Azure identity provider from a Python notebook?
- Unauthorized to Delete Tweet with OAuth2.0 path on free-tier developer account
- Argument of type "github" is not assignable to parameter of type 'OAuthProvider' in Appwrite
- How to authenticate resource owner with JWT token on Spring Authorization Server for requests to /oauth2/authorize?
- Headless OAuth2 Token Refresh Fails with Spring boot and MSAL4J
- Springboot Keycloak Admin add role or reset password error
- request to token url returning 400 bad request for google oauth2?
- Spring Boot Oauth Client & Authorization Server + React implementation
- Dotnet-Isolated Azure Functions - how to access HttpContext
- Enabling and Configuring Password History on Cognito
- Where to store the refresh token on the Client?
- Keycloak-Remix integration: where should I place the checks?