Spring Cloud Config OAuth2 EndPoint - spring

We have a spring cloud config service which is secured with OAuth2.
In another service, we are configuring this service with spring.config.import: {cloud-cfg-svc-uri}
Since the config service requires Bearer token, I need to make a call to the token provider service and then use that token to call the cloud config service
Is this feasible? Any pointers for help please?

Related

Spring boot admin server configuration on Cloud run

We have a few cloud run services deployed on Cloud run with Ingress control set to "All" and Authentication set to "IAM". These are REST APIs created using Spring boot framework. We have one more Cloud Run service which is deployed as Spring boot admin server with Ingress control set to "All" and Authentication set to "Allow Unauthenticated Invocations".
Now the backend team have configured the Cloud run REST API services with the following cloud run endpoints in application.properties to communicate with Spring boot admin server:-
spring.boot.admin.client.url=${sm://cloud_run_rest_api_endpoint}
spring.boot.admin.client.instance.service-url=${sm://spring_boot_admin_server_cloud_run_endpoint}
This obviously fails on cloud run with 403 Unauthorized as the endpoints (Eg: /health, /metrics, /trace etc) required by Spring boot admin server from its clients need an Authorization Bearer token.
Is it possible to pass JWT token when accessing those endpoints ? Has anyone had success in setting up the same ? Or is there any possibility to have some of our cloud run service endpoints to be public on which we can later apply some security provided by spring ?
We are in the middle of setting up free API monitoring tool for our all APIs. Any recommendations are much appreciated.

How can I configure endpoints for RBAC in Spring Boot via Cloud Config Server?

I want to add the ability to microservices to allow configuring endpoints and permissions for RBAC via Cloud Config Server. So if there is a service called mordor, then if I add following properties in its application.yml at Cloud Config Server's repo
rbac:
- endpoint: /v1/test1
method: GET
scopes: ["rest-write:all", "read-write:product"]
- endpoint: /v1/test2
method: POST
scopes: ["read-write:product"]
the endpoints mentioned above should be configured for RBAC. As of now, I am passing the scopes and permissions via Auth0 JWT and using it for authentication. But with this, I will be able to add RBAC also based on the permissions I configure in Auth0's dashboard.
What is the best way to proceed with this?
I am able to get the rbac endpoints from Cloud Config Server but the problem is how to add them to Spring Security. I already have a class OAuth2SecurityConfiguerer where httpSecurity is configured but I haven't been able to add endpoints to Spring Security because it might require iterating over the endpoints obtained from Cloud Config Server

JWT Authentication From Ingress in OpenShift

So I'm migrating some Spring Boot microservices from Kubernetes to OpenShift. Below is the simplified situation:
Service 1: Spring Boot application that handles, exposes 2 endpoints (login and authenticate). The authenticate service accepts the Authorization header containing a JWT token and validates that token. It returns 400 if the token doesn't exist and 403 is the user isn't authorized or the token is invalid and 200 if everything is valid.
Service 2: Spring Boot for some business service, exposes many endpoints and contains the annotation below in the Kubernetes Ingress so that all traffic is routed to the Service 1 for authentication before actually reaching Service 2
nginx.ingress.kubernetes.io/auth-url: "http://service1/authenticate?url=$request_uri&method=$request_method"
The problem is that when I migrated to OpenShift, all applications are working fine but the annotation that should route traffic to Service 1 doesn't seem to be working, since the authenticate service is never called.
I have searched the OpenShift documentation for days with no success, so any help would be much appreciated.
Probably this could help https://docs.openshift.com/container-platform/4.5/serverless/networking/serverless-ossm-jwt.html, Openshift ServiceMesh include Istio. Here is how to configure Istio JWT https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/. So there you could configure the Service 1 authenticate.

Bypass spring security for service-to-service calls

I have multiple Spring boot micro-services deployed to kubernetes. Im also using Spring Gateway & Eureka Discovery.
Those micro-services are secured with Spring Security and require JWT token for access to the endpoints. Im using #PreAuthorize methods etc.
It all works fine when I'm accessing those endpoints from frontend application that is sending JWT token in request,
but, I can't bypass that security in service-to-service communication via FeignClient.
Ideally, my micro-services wouldn't need token at all to call other micro-service's methods via FeignClient. But I still need that security when endpoints are accessed from frontend or when requests are coming from Spring Api Gateway.
Do you know some elegant solution to this problem?
I was thinking about adding another pair of endpoints that don't have security annotations (#PreAuthorize) and somehow disable access to those endpoints on Spring Api Gateway, so they cannot be accessed from outside, but only directlly by one of the micro-services.

oauth 2.0, JWT, Spring security, Micro services

I need some understanding on over all flow of spring security.
I have implemented oauth2 Authorization Server and a Resource server in the same Spring Boot App.Where i am able to generate JWT tokens. And sample Rest api in this app is secured and accessible only with token.
I have another spring boot app which should be secured? What should i do in this. Also i need to read the token in this service to know the role of user.
Please clarify me how to implement the step2.
You can create a module where your spring security config is implemented.
In this module is the class that is annotated with the #EnableWebSecurity annotation, where you define the open routes. I guess you already have a class like this for your sample rest API, mentioned in step 1.
Now every microseconds that has to be secured uses this module by importing it, eg as maven dependency. By this it's api is automatically secured via spring security.
Your auth service serves a jwk endpoint where every microservice can verify a token via public key.

Resources