I'm trying to configure OAuth2 for a Spring project. I used jdbc authentification and my authorization server and resource server are two separate API. My issue is now with the microservices. I'm trying to use this shared authorization server to authenticate the microservices. I can get access_token from the token endpoint.
I can check the access_token from the check_token endpoint.
My resource server configuration:
#SpringBootApplication
#EnableCircuitBreaker
#EnableDiscoveryClient
#EnableResourceServer
public class ProductApiServiceApplication {
public static void main(String[] args) {
SpringApplication.run(ProductApiServiceApplication.class, args);
}
}
And application.yml:
security:
oauth2:
client:
client-id: saba-product-api-service
client-secret: secret123
resource:
id: saba-product-api-service
token-info-uri: http://localhost:9999/uaa/oauth/check_token
And REST controller:
#GetMapping("/user/me")
public Principal user(Principal principal) {
return principal;
}
When I call the /user/me endpoint I get invalid_token.
My Resource Server log:
And my Authorization Server log:
What is wrong with my code?
Update
The problem is because of this code:
I had the same issue. In my case, I was using spring cloud oauth2, Hoxton.SR4 release and it was working. So, I change to Hoxton.SR6 and the issue was throwed. My Authoriation Server also was a Eureka's client, and the issue was origined cause this dependency. There was one dependência inside Eureka Client, named jackson-dataformat-xml, and because it the return of check_token endpoint was converted in xml instead json. When RemoteTokenServices called check_token, and the resulta was a xml, it culdn't decerialized in map<String,Object> the right way. If you had more than one aud, scope or authorities, it picked the last one. And the active propertie was trated as string. In my case I solved the issue excluding in Authorization Server the dependency mentioned from Eureka Client, like this:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
</exclusion>
</exclusions>
</dependency>
Finally, I replaced
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.3.4.RELEASE</version>
</dependency>
with
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
<version>2.5.0.RELEASE</version>
</dependency>
// gh-838
if (map.containsKey("active") && !"true".equals(String.valueOf(map.get("active")))) {
logger.debug("check_token returned active attribute: " + map.get("active"));
throw new InvalidTokenException(accessToken);
}
Related
I am building one spring cloud gateway and in that I am implementing Keycloak Security everything works fine but once login done on keycloak it is not redirecting back and showing error too many redirects I am not sure what I am missing?
Below are the dependencies which I am using:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-gateway</artifactId>
</dependency>
And my application Api gateway start application code is as below:
#SpringBootApplication
#ComponentScan(basePackages = {"com", "com.b","com.auth","com.security"})
public class APIGatewayApplication {
public static void main(String[] args) {
SpringApplication.run(APIGatewayApplication.class, args);
}
#Bean
public KeycloakConfigResolver keycloakConfigResolver() {
return new PathBasedKeycloakConfigResolver();
}
}
Security Config http code is as below:
#Configuration
public class SecurityConfig {
#Bean
public SecurityWebFilterChain springSecurityFilterChain (ServerHttpSecurity http) {
http
.authorizeExchange()
.anyExchange()
.authenticated()
.and()
.oauth2Login(); // to redirect to oauth2 login page.
return http.build();
}
}
and in my application.yml file I am adding below configuration:
spring:
security:
oauth2:
client:
provider:
my-keycloak-provider:
issuer-uri: http://localhost:8280/auth/realms/Default
registration:
keycloak-spring-gateway-client:
provider: my-keycloak-provider
client-id: Default
client-secret: 8ZRUH62Pfhfde6uqasD8dfgdhvqWt03K6
authorization-grant-type: authorization_code
redirect-uri: '{baseUrl}/app'
main:
web-application-type: reactive
application:
name: app
cloud:
gateway:
default-filters:
- TokenRelay
So when I start application it is running fine and it is getting redirected to the Keycloak login page and after login it shows error "localhost redirected you too many times." How to resolve it so once it is login it should redirected once only to main application? Please help.
I have a simple app that uses Netflix Zuul as an API gateway
I added the Zuul dependency in the pom.xml file as follows:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-zuul</artifactId>
<version>2.2.10.RELEASE</version>
</dependency>
and #EnableZuulProxy for the main class of the app
The problem is that whenever I try to run the API, It fails to start and shows in the console:
Consider defining a bean of type
'org.springframework.cloud.client.loadbalancer.reactive.DeferringLoadBalancerExchangeFilterFunction'
in your configuration.
I couldn't solve the issue, what's the problem?
The issue was solved when I added the following dependency in pom.xml:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-loadbalancer</artifactId>
</dependency>
and as a result, spring also asked me to add this to my app configuration:
spring.main.web-application-type=reactive
Then my API ran successfully without failing or throwing any exception
I create a real time notification functionality using spring quartz library. I create two services as bellow :
1) quartz-service : Which is used to set schedule a for real time notification.
2) task-service : Which is used to create a task and remind through quartz-service.
When task-service call quartz-service through feign client I'm not get any response. But If I call through Rest Template it's working find.
Actually we are used spring boot microservice architecture, In using Rest Template we need to specify URL Hard coded, So we can't achieved Ribbon concept in this case that's why we not interest to use Rest Template.
So please help me if any once face this problem.
quartz-service :
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-quartz</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
Rest Controller :
#RestController
#RequestMapping(value = "/quartz/taks", produces = "application/hal+json")
public class QuartzTaskController
{
#Autowired
private QuartzTaskServices quartzTaskServices;
#PostMapping("/reminder")
public ResponseEntity<Object> saveTaskReminder(#RequestBody Task task)
{
quartzTaskServices.saveTaskReminderScheduler(task);
return ResponseEntity.ok().build();
}
}
task-service
Dependency :
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-openfeign</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-ribbon</artifactId>
</dependency>
Feign Client :
#RibbonClient(name="quartz-services")
#FeignClient(name="quartz-services")
public interface QuartzProxy
{
#PostMapping("/quartz/taks/reminder")
public ResponseEntity<Object> saveTaskReminder(#RequestBody Task task);
}
Call Feign Client :
#Autowired
private QuartzProxy quartzProxy;
...
.....
......
quartzProxy.saveTaskReminder(task);
I have created one microservice using Java8 and SpringBoot using Maven.
Lets call it as MicroServiceA
It has controller which returns ResponseEntity object as below:
#RestController
#RequestMapping("/api")
public class MicroserviceAController {
#GetMapping(value = "/all")
public ResponseEntity<ServiceAResponseWrapper<List<ServiceADto>>> getAll() {
ServiceAResponseWrapper<List<ServiceADto>> wrapper =
new ServiceAResponseWrapper<List<ServiceADto>>(ServiceAResponseStatus.SUCCESS,findAll());
return new ResponseEntity<ServiceAResponseWrapper<List<ServiceADto>>>(wrapper,HttpStatus.OK);
}
public static List<ServiceADto> findAll() {
//returns list of ServiceADto objects
}
}
When I start this service and verify it in any browser: http://localhost:8073/api/all/ , I get JSON response displayed.
Now if I want to introduce my service to EUREKA service registry then I will need to do following changes.
Create EUREKA server microservice. I start it - http://localhost:8761/
Make changes to MicroserviceA as follows -
Go to pom.xml and add dependency
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-server</artifactId>
</dependency>
go to application.yml and add this:
eureka:
client:
registerWithEureka: true
fetch-registry: true
service-url:
defaultZone: http://localhost:8761/eureka/
As soon as I start my service then I start seeing it on server http://localhost:8761/
Now I again go to browser and try to check my microservice http://localhost:8073/api/all/ What I see is XML and not JSON.
I even tried to fix it by modifying my Microservice Controller by adding
annotation to my method:
#Produces( { MediaType.APPLICATION_JSON} )
But with that also I see XML and not JSON.
Am I missing something or its normal behavior with EUREKA ? If yes, how do I fix it?
If you are using older version of spring cloud starter, you might need to exclude Jackson dataformat XML dependency
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-eureka</artifactId>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
</exclusion>
</exclusions>
</dependency>
There are two potential solutions for this:
First: exclude the jackson-dataformat-xml dependency from all spring-cloud-starter-* artifacts if your application has nothing to do with XML conversions. One exclusion example from spring-cloud-starter-netflix-eureka-client is below. For my case, I had to exclude Jackson XML dependency from spring-cloud-starter-netflix-ribbon, spring-cloud-starter-openfeign and spring-cloud-starter-netflix-eureka-client
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-eureka</artifactId>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
</exclusion>
</exclusions>
</dependency>
Second: If you want to support both XML and JSON responses. You can pass Accept: header with the request to your API.
For getting JSON response:
curl -X GET \
http://localhost:8073/api/all/ \
-H 'Accept: application/json'
For getting XML response:
curl -X GET \
http://localhost:8073/api/all/ \
-H 'Accept: application/xml'
Hi I myself never used Eureka but from a quick search there is a ready to use API that converts the XML to json as Eureka uses XML and not json because json can’t hold attributes.
Link to the site explaining how to do this ->
https://automationrhapsody.com/json-format-register-service-eureka/amp/
Hope this helps you out
i face a problem when i using spring cloud gateway
is if any dependency call spring-boot-starter-tomcat directly or recursively
it will not work because it will start the embedded tomcat server not the netty server that spring cloud gateway use
i started to solve this problem by excluding this dependency
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
the spring cloud gateway worked successfully
but sometimes i want to use spring-cloud-starter-oauth2 to use #EnableOAuth2Sso
i start to use
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-oauth2</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
at that time i face the big issue that throw exception saying
Caused by: java.lang.IllegalStateException: Failed to introspect annotated methods on class org.springframework.security.oauth2.config.annotation.web.configuration.OAuth2ClientConfiguration
......
Caused by: java.lang.NoClassDefFoundError: javax/servlet/Filter
As you've seen, the Spring cloud gateway uses the reactive model and is based on netty rather than tomcat. The reactive change is a major shift and currently isn't supported by Spring Security but work is in progress on it and you can track it at https://github.com/spring-cloud/spring-cloud-gateway/issues/179
Use the following dependencies (I copied from my build.gradle)
dependencies {
implementation 'org.springframework.cloud:spring-cloud-starter-gateway'
implementation 'org.springframework.cloud:spring-cloud-starter-security'
implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
}
Code your gateway app minimally as follows
#SpringBootApplication
public class App {
#Bean
public ForwardedHeaderTransformer forwardedHeaderTransformer() {
return new ForwardedHeaderTransformer();
}
public static void main(String[] args) {
SpringApplication.run(App.class, args);
}
}
Configure in application.yml
spring:
security:
oauth2:
client:
registration:
google:
client-id: XXX
client-secret: YYY
I am actively building my stack that uses OAuth2 with Docker Swarm Discovery https://github.com/trajano/spring-cloud-demo.git so you can see how it would work in action.
spring boot 2.1 with spring security 5 have resolve this problem
see this example