Managing authorization at API Gateway (Kong HQ) + Keycloak + Spring boot microservices - spring-boot

I am working on a Microservices architecture where I am using following components:
KongHQ as an API gateway
Keycloak as a IAM solution
Microservices written in Spring Boot.
My basic requirement is to completely decouple authentication/authorization from Spring boot microservices. Therefore, authentication as well as authorization of API should be done at API gateway layer.
Most of the articles and tutorials recomment to integrate Keycloak with Spring Boot as well.
I would really like to know if the requirement is feasible and if so how to do it?

I would not de-couple security from micro-services for two reasons:
access-control is a business requirement I want to unit test
spring-security is probably more powerful (expressive, testable, etc.) than any API gateway security filter
You do not have to integrate Keycloak with spring-boot (actually you should not because Keycloak libs for spring are deprecated).
Spring-security has tools for resource-servers. Sample here.
I also wrote (very) thin layers on top of spring-boot-starter-oauth2-resource-server to ease resource-server configuration. Most config options are available from properties, which save quite some Java code in micro-services. Sample there.
Following advanced tutorial, you can even build a security DSL as expressive as #PreAuthorize("is(#username) or isNice() or onBehalfOf(#username).can('greet')"). Good luck to achieve the same with an API getway.
The repo linked above also contains quite a few annotations for configuring unit-tests security-context:
#Test
#ProxiesAuth(
authorities = { "AUTHOR" },
claims = #OpenIdClaims(preferredUsername = "Tonton Pirate"))
void whenHimselfThenCanGreetFor() throws Exception {
mockMvc.get("/greet/on-behalf-of/Tonton Pirate").andExpect(status().isOk()).andExpect(content().string("Hi Tonton Pirate from Tonton Pirate!"));
}

Here is a very detailed article to introduce the use of API Gateway and keycloak:https://apisix.apache.org/blog/2022/07/06/use-keycloak-with-api-gateway-to-secure-apis/

Related

Filter Chains support in Spring Cloud Function

Does Spring Cloud Function provide some kind of functionality similar to Spring Security Filter Chains ?
One particular use case is to implement CORS with AWS Lambda API Gateway in proxy integration mode. According to the AWS docs, it's function responsibility to add CORS headers to the response.
It might be more useful to do this at the integration layer and not in the business logic.
I'm using Spring Cloud Function with AWS adapter and Spring Boot.
I've browsed through the code (3.1.3 at the time of writing) but didn't find something alike.
There's one old issue showing CorsFilter registration (with Azure provider) but I doubt it really worked as Spring Cloud Function does not utilize Servlet environment.

Mixed Gateway HTTP-WEBSOCKET in a Spring Boot Application

In your opinion, in a hybrid architecture (WEBSOCKET + HTTP) is it good practice to use 2 gateways: Zuul for HTTP communication and Spring Cloud Gateway for WEBSOCKET communication in a Spring Boot application? Alternatively, in this scenario is it recommended to use only Spring Cloud Gateway?
Thanks.
is it recommended to use only Spring Cloud Gateway Yes because
Spring Cloud does not provide any out of the box integration with Zuul2. Gateway has many features that are not available in the public version of Zuul2 such as Rate limiting, etc. Also, with the gateway you can have custom filters defined per route and there are tons of built-in filters defined as well, which helps a lot to get started. Reference
Reference: I think SCG is the way to go due to the agreements between Netflix and Pivotal, with the former leaning more toward the spring boot/cloud ecosystem as stated in https://medium.com/netflix-techblog/netflix-oss-and-spring-boot-coming-full-circle-4855947713a0

Spring Cloud Gateway with SAML

I want to use Spring Cloud Gateway with SAML. Is this possible?
It seems that the Saml extension for spring security is based on the old Spring Stack and won't work with Gateway.
Has anybody got any experience on this?
I'm afraid SAML is not supported as of time of writing. Spring Cloud Gateway has been redeveloped using Reactive programming and is now based on Spring WebFlux. Only the following authentication methods are currently supported :
OAuth 2.0 or OpenID Connect 1.0
x509 authentication
This is stated on SCG page:
Spring Cloud Gateway is built on Spring Boot 2.x, Spring WebFlux, and
Project Reactor. As a consequence, many of the familiar synchronous
libraries (Spring Data and Spring Security, for example) and patterns
you know may not apply when you use Spring Cloud Gateway. If you are
unfamiliar with these projects, we suggest you begin by reading their
documentation to familiarize yourself with some of the new concepts
before working with Spring Cloud Gateway.
The previous gateway spring-cloud-netflix-zuul, based on Servlets and which supported SAML, has been removed from Spring Cloud 2020.
Here is an open issue on GitHub, SAML2 for reactive environment, where we can vote for asking for this to be implemented.

Link Spring Security to exting Project

I have existing REST API's built into multiple springboot projects. Now would want to enabled JWT for all REST services. I have a separate project which does JWT for a test service. Can that JWT project be linked like a library or associated as a springboot parent to enable spring JWT auth for all REST services which are present in multiple projects.
There are not enough details within your question but we also have multiple spring boot services which share common authentication and authorization mechanism (OAuth2.0 authorization token flow + Keycloak + JWT). The implementation of this mehanism is realized as a custom spring boot starter which is the approach I would recommend to you. You can start reading about that, for example, here.

How to redirect user request to other Restful API that runs on other server in Spring boot?

I am a noob in spring boot. I am writing a Gateway for some services. In a condition, I need to forward user request to other services (some Restful API) after authentication. I have done some search on 'forward' and 'redirect'. I think I need 'forward'. But I still have some questions: 1. when I forward it to other URI(eg. abc.dce.com/service/), does the service get the request body. 2.How can I do it in spring boot? Do you guys have a good example that fit my condition? (I admit that I am kind of lazy for this, but there are really many style of forward that confused me.)
//I find this example, but this is forwarding to service in same package //under same Internet.
#Override
public void addViewControllers(ViewControllerRegistry registry) {
// forward requests to /admin and /user to their index.html
registry.addViewController("/portal").setViewName(
"forward:/app/index.html");
}
Since you mention you're new to spring boot, you might want to take a look at spring project that implements a fully-featured gateway. I've used an earlier version of it (zuul) and the current spring-cloud-gateway allows you to implement a complete gateway easily by creating a spring-boot project and configuring. It has a lot of features you'll likely want to implement as a gateway (like adding/removing headers, modifying payloads,..). If you need features they don't support, you can implement via filters and other interfaces they provide. This was initially opensourced from Netflix so it is fairly comprehensive.
https://spring.io/projects/spring-cloud-gateway
Sample project:
https://github.com/spring-cloud-samples/spring-cloud-gateway-sample

Resources