Spring Cloud Gateway example with frontend side login

[FelixSK]

Hey Tim,
first of all thank you for your great example on OIDC with Spring Cloud Gateway.
For a project I need to set up a Spring Cloud Gateway with two microserivce APIs just like in the example, and a Angular frontend.

I managed to set up the gateway + services and the Keycloak login on the frontend side, which sends the token to the gateway
Now my question is: does the gateway needs to be a Keycloak client or can it be a resource server like the /flights or /hotels just with the token relay?
So can the configuration of keycloak in the gateway be like the config of the resource servers?

[timtebeek]

Hi Felix, thanks for the kind words! I've only ever applied the gateway as a client, not as a resource server. Not sure it'll work with the alternate method you've suggested. On mobile now so can't really look into it at the moment.

What would be the reason for the switch functionally?

[FelixSK]

I thought I dont need the login functionallity on the gateway because I log in on the frontend side. So the gateway only deals with the token/relay, not the login specified in the SecurityConfig and application.yml. But I might be wrong.

[timtebeek]

Hi Felix; Understand your use case, but it's not something I've tried myself so far. Not saying it's impossible, but it might be a challenge to figure out how the components interplay.

Personally I tend to leave the authentication up to the gateway, such that the frontend need not have to act like a client, manage tokens and sessies, send tokens to the backend etc. That keeps things simple on my end.

If you figure out how to make this work do let me know! Could be interesting to add as a working sample here, as you're not the first with such a use case.

[FelixSK]

Hey Tim,
sry for not contributing to this issue for a while, but in the meantime I managed to setup a prototype for my project.
I still used the Angular frontend as a client, for that I used the certified libary angular-oauth2-oidc by Manfred Steyer which manages all the authentication and authorization with a Keycloak.
I used the Gateway only as a routing service which has nothing to do with Keycloak, behind that I have two resource server which only provide data like weather data, again no user info or user data. Everthing works fine, only authenticated and authorized user who are logged in at the client with a specific role are enabled to access the resource servers.
I know that this might not be the best way to implement everything, but for my use cases its fine, its just a test project to show how these things might work.

Yet I have a question regarding the testing of the resource server. Is there a way to test the resource server endpoints? Like generating different access token with roles and validating these and return matching status codes when a endpoint is being accessed?

Thanks!

[timtebeek]

Hi @FelixSK ; Glad to hear you found and approach that works for you, and thanks for sharing that here as well.

As for your resource server endpoint tests: there's various ways to test your endpoints with or without(!) security. Here's a few resources that I hope you'll find helpful:

• https://engineering.pivotal.io/post/faking_oauth_sso/
• https://github.com/timtebeek/spring-security-samples/tree/master/adding-spring-security#fixing-our-tests-part-2
• https://github.com/timtebeek/spring-security-samples/tree/master/adding-spring-security/leaveapp-complete/src/test/java/com/jdriven/leaverequest

Let me know if you have any further questions!