Can't find OAuth2RestTemplate when relay OAuth2 JWT token between resource servers.
jaggerwang opened this issue · 4 comments
Describe the bug
I'm using spring cloud gateway as OAuth2 client to handle authentication, and relay token from gateway to resource server RS1. This works great. But when I call resource server RS2 in RS1, the token need to relay from RS1 to RS2. I configured as the doc Resource Server Token Relay, but there is no OAuth2RestTemplate and UserInfoRestTemplateFactory. The full source code can be found at Spring Cloud in Practice.
I already tried add dependencies spring-boot-starter-oauth2-client and spring-cloud-starter-security. Here is the full pom.xml.
<?xml version="1.0" ?>
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>net.jaggerwang</groupId>
<artifactId>spring-cloud-in-practice</artifactId>
<version>1.0.0-SNAPSHOT</version>
</parent>
<groupId>net.jaggerwang</groupId>
<artifactId>spring-cloud-in-practice-user</artifactId>
<version>1.0.0-SNAPSHOT</version>
<name>spring-cloud-in-practice-user</name>
<description>Spring cloud in practice user</description>
<dependencies>
<dependency>
<groupId>net.jaggerwang</groupId>
<artifactId>spring-cloud-in-practice-common</artifactId>
<version>${scip-common.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<scope>runtime</scope>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-consul-discovery</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-consul-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-circuitbreaker-reactor-resilience4j</artifactId>
</dependency>
<dependency>
<groupId>com.querydsl</groupId>
<artifactId>querydsl-apt</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.querydsl</groupId>
<artifactId>querydsl-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.flywaydb</groupId>
<artifactId>flyway-core</artifactId>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-pool2</artifactId>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>com.mysema.maven</groupId>
<artifactId>apt-maven-plugin</artifactId>
<version>${apt-maven-plugin.version}</version>
<executions>
<execution>
<phase>generate-sources</phase>
<goals>
<goal>process</goal>
</goals>
<configuration>
<outputDirectory>target/generated-sources/java</outputDirectory>
<processor>com.querydsl.apt.jpa.JPAAnnotationProcessor</processor>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>I tried to relay Authorization header by my self using the following ClientHttpRequestInterceptor:
package net.jaggerwang.scip.common.api.interceptor;
import org.springframework.http.HttpRequest;
import org.springframework.http.client.ClientHttpRequestExecution;
import org.springframework.http.client.ClientHttpRequestInterceptor;
import org.springframework.http.client.ClientHttpResponse;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import java.io.IOException;
public class OAuth2TokenRelayInterceptor implements ClientHttpRequestInterceptor {
@Override
public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException {
var requestAttrs = RequestContextHolder.getRequestAttributes();
if (requestAttrs instanceof ServletRequestAttributes) {
var servletRequestAttrs = (ServletRequestAttributes) requestAttrs;
var authHeader = servletRequestAttrs.getRequest().getHeader("Authorization");
if (authHeader != null) {
request.getHeaders().add("Authorization", authHeader);
}
}
return execution.execute(request, body);
}
}package net.jaggerwang.scip.user.api.config;
...
@Configuration(proxyBeanMethods = false)
public class ServiceConfig {
...
private RestTemplate restTemplate(RestTemplateBuilder builder, String rootUri) {
var restTemplate = builder.rootUri(rootUri).build();
var interceptors = restTemplate.getInterceptors();
if (CollectionUtils.isEmpty(interceptors)) {
interceptors = new ArrayList<>();
}
interceptors.add(new OAuth2TokenRelayInterceptor());
restTemplate.setInterceptors(interceptors);
return restTemplate;
}
...
}But the attrs returned by RequestContextHolder.getRequestAttributes is always null, because the request executed by RestTemplate is in a child thread. I also tried to customize the RequestContextListener to be inheritable as the following, but it still the same result.
package net.jaggerwang.scip.common.api.listener;
import org.springframework.context.i18n.LocaleContextHolder;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.RequestContextListener;
import org.springframework.web.context.request.ServletRequestAttributes;
import javax.servlet.ServletRequestEvent;
import javax.servlet.http.HttpServletRequest;
public class InheritableRequestContextListener extends RequestContextListener {
private static final String REQUEST_ATTRIBUTES_ATTRIBUTE =
RequestContextListener.class.getName() + ".REQUEST_ATTRIBUTES";
@Override
public void requestInitialized(ServletRequestEvent requestEvent) {
if (!(requestEvent.getServletRequest() instanceof HttpServletRequest)) {
throw new IllegalArgumentException(
"Request is not an HttpServletRequest: " + requestEvent.getServletRequest());
}
HttpServletRequest request = (HttpServletRequest) requestEvent.getServletRequest();
ServletRequestAttributes attributes = new ServletRequestAttributes(request);
request.setAttribute(REQUEST_ATTRIBUTES_ATTRIBUTE, attributes);
LocaleContextHolder.setLocale(request.getLocale());
// Set attributes inheritable
RequestContextHolder.setRequestAttributes(attributes, true);
}
}Right now I'm using request scope bean to avoid using RequestContextHolder, but it will create service object for every request.
@Bean
@RequestScope
public FileSyncService fileSyncService(@Qualifier("fileServiceRestTemplate") RestTemplate restTemplate,
CircuitBreakerFactory cbFactory,
ObjectMapper objectMapper,
HttpServletRequest request) {
return new FileSyncServiceImpl(restTemplate, cbFactory, objectMapper, request);
}Hello, I use the same scenario of communication between Client and two RS but as for today I use the latest RS's from Spring Security 5 and Bearer tokens. The docs here about token relay I bit outdated I think so it's wasn't working in my case.
there is no
OAuth2RestTemplateandUserInfoRestTemplateFactory
When I tried to request RS2, I got 401 error message in RS1. To fix it, I added header with bearer token (from Principal) when sending request to RS2 and it worked. Now I'm in progress of searching how to add this header by default for all requests from my RS1 to RS2.
Just shared some of my experience as per today :-)
I dont see what this has to do with Spring Cloud Security. It seems to be a Spring Security issue/question. If I am wrong please explain where Spring Cloud Security comes into play.