I want to use Spring Cloud Gateway with SAML. Is this possible?
It seems that the Saml extension for spring security is based on the old Spring Stack and won't work with Gateway.
Has anybody got any experience on this?
I'm afraid SAML is not supported as of time of writing. Spring Cloud Gateway has been redeveloped using Reactive programming and is now based on Spring WebFlux. Only the following authentication methods are currently supported :
OAuth 2.0 or OpenID Connect 1.0
x509 authentication
This is stated on SCG page:
Spring Cloud Gateway is built on Spring Boot 2.x, Spring WebFlux, and
Project Reactor. As a consequence, many of the familiar synchronous
libraries (Spring Data and Spring Security, for example) and patterns
you know may not apply when you use Spring Cloud Gateway. If you are
unfamiliar with these projects, we suggest you begin by reading their
documentation to familiarize yourself with some of the new concepts
before working with Spring Cloud Gateway.
The previous gateway spring-cloud-netflix-zuul, based on Servlets and which supported SAML, has been removed from Spring Cloud 2020.
Here is an open issue on GitHub, SAML2 for reactive environment, where we can vote for asking for this to be implemented.
Related
I am developing a client application for client_credentials grant type flow in OAUTH2.
I am not able to decide on which dependency to use in my project for this purpose among the following.
spring-boot-starter-oauth2-client
spring-cloud-starter-oauth2
spring-security-oauth2
I referred this documentation from spring-projects in which under client-support section it had a table describing the available options. But I am not able to understand which column is referring to which of the above dependencies.
I want to configure a WebClient or RestTemplate which retrieves the OAUTH2 token from the auth-server automatically before accessing a resource-server.
Please guide me in choosing the right artifact for my project.
If you are using Spring Boot you should choose org.springframework.boot:spring-boot-starter-oauth2-client.
This includes Spring Security's OAuth 2.0 Client support and provides Spring Boot auto-configuration to set up OAuth2/Open ID Connect clients.
You can read about how to configure client in the Spring Boot reference documentation.
You can also find additional details in the Spring Security reference documentation.
If you are not using Spring Boot then you should choose org.springframework.security:spring-security-oauth2-client. This also provides Spring Security's latest OAuth 2.0 Client support, but does not include the Spring Boot auto-configuration.
The corresponding documentation is also the Spring Security reference documentation.
The third dependency you mentioned org.springframework.security.oauth:spring-security-oauth2 should not be used because it is part of the legacy Spring Security OAuth project, which is now deprecated.
The functionality that this library provided has now been moved into Spring Security.
That is what the Migration Guide describes, the migration from the legacy project to the latest Spring Security support.
You should not use the org.springframework.cloud:spring-cloud-starter-oauth2 at this time, because it relies on the legacy OAuth support.
This is likely to change in the future, as the Spring Cloud team updates to the latest Spring Security support.
Today I'm using Spring Boot OAuth2 to grant correct use of OAuth2 in my project, so I have the following:
I have API A calling API B
API A generate JWT Token and calls API B.
API B validate the JWT Token using two ways: Online (Introspection) and Offline (with RSA keys).
So, migrating to Spring Security 5 I got the following problems:
I didn't found any samples (https://github.com/spring-projects/spring-security/tree/master/samples/boot) using Spring Cloud OpenFeign. All my project use it (Feing) and change to Spring WebClient can be very problematic.
Documentation just talk about WebClient (https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2client), nothing about RestTemplate or Feign.
Joe Grandja wrote an OAuth2 application and the corresponding migrated Spring Security application.
You can check the examples here:
Spring Security OAuth 2.4 Migration Sample
Also, docs about configuring Spring Security are here:
OAuth 2.0 Resource Server
I am trying to migrate my existing spring boot 1.5 resource server (oauth2) to spring boot 2.x, while do so i am facing difficulties in providing reactive support for the same. It looks like i can not use reactive webflux when i use pring-cloud-starter-oauth2, i have few questions:
does spring boot 2.0.3 supports webflux + oauth2 resource servers using #EnableResourceServer, is yes then what is right way to implement it?
If it does not support, what are other possible options? Spring 5 security documentations says that it does not support authorization server and resource server at this moment.
Thank you in advance
Short answer: no.
There's no support to implement your own Authorization nor Resource server using webflux.
He has been trying to connect s-c-gateway and s-c-security with Keycloak for a couple of days. I want the modules that are located behind the gateway not to have a keycloak configuration.
Is Spring Cloud Gateway not supported by Spring Cloud Security?
There's an issue on the spring cloud gateway github about this - a short summary is that there's currently no official support but I'd suggest reading the full github comments
You could use #EnableWebFluxSecurity in cloud gateway, since it's reactive project.
I know this is an old question with an answer but now it is possible and very common to integrate Spring cloud Gateway, Spring cloud Security and Keycloak. You can find a good tutorial here:
https://kunkkali.blogspot.com/2020/10/build-j2ee-micro-services-architecture.html
Source code: https://github.com/liqili/spring-microservice-oauth2-keycloak-starter
I'm trying to build a system with an gateway server (Zuul), and UAA server (Spring OAuth2)
There's lots of examples but they are all used with Spring Boot 1 (1.5.X?). When I tried to migrate to Spring Boot 2, lots of things got moved or removed (in the auto-configure package).
My current understanding is that the gateway server will acts as an oauth2 client with sso. Hope someone can point me to the right direction.
Thanks.