All geek questions in one place

Zuul Spring Cloud and JWT Update Token

I have a local organized environment using spring cloud components (eureka, zuul and auth servers). All of these components are implemented as separate standalone services. Then I have a growing number of combined user interfaces / resources in which individual services have their own user interface. The user interface integrates the server part using the templates of the thymeleaf, but in fact it is single-user applications that run in the browser.

One Zuul service provides all ui / resource services. I annotated all the ui / resource services @EnableResourceServerand added @EnableOAuth2Ssoto the Zuul server.

In application.properties for Zuul, I have the following properties:

security.oauth2.client.accessTokenUri=http://localhost:8771/uaa/oauth/token
security.oauth2.client.userAuthorizationUri=http://localhost:8771/uaa/oauth/authorize
security.oauth2.client.clientId=waharoa
security.oauth2.client.clientSecret=waharoa
security.oauth2.client.preEstablishedRedirectUri=http://localhost:81/login
security.oauth2.client.registeredRedirectUri=http://localhost:81/login
security.oauth2.client.useCurrentUri=false
security.oauth2.resource.jwt.keyValue=-----BEGIN PUBLIC KEY-----[ETC omitted]...

All this is like an advertisement. My problem is when the token expires.

On the Auth server, I set the token to 60 seconds, and the update token expires after 12 hours. When the token expires, the zuul server cannot receive a new token.

On the zuul server, this appears in the log:

BadCredentialsException: cannot get a valid access token created by OAuth2TokenRelayFilter.getAccessToken

Update: I turned on debugging for org.springframework.security.oauth in the Zuul service and received the following

    17:12:33.279 DEBUG o.s.s.o.c.t.g.c.AuthorizationCodeAccessTokenProvider - Retrieving token from http://localhost:8771/uaa/oauth/token
    17:12:33.289 DEBUG o.s.s.o.c.t.g.c.AuthorizationCodeAccessTokenProvider - Encoding and sending form: {grant_type=[refresh_token], refresh_token=[eyJhbGciOiJS[...deleted...]VgGRHGT8OJ2yDfNVvNA]}
    17:12:37.279 WARN  o.s.c.n.z.f.post.SendErrorFilter - Error during filtering
[blah blah stacktrace many lines omitted]
Caused by: org.springframework.security.authentication.BadCredentialsException: Cannot obtain valid access token
        at org.springframework.cloud.security.oauth2.proxy.OAuth2TokenRelayFilter.getAccessToken(OAuth2TokenRelayFilter.java:99)
        at org.springframework.cloud.security.oauth2.proxy.OAuth2TokenRelayFilter.run(OAuth2TokenRelayFilter.java:79)
        at com.netflix.zuul.ZuulFilter.runFilter(ZuulFilter.java:112)
        at com.netflix.zuul.FilterProcessor.processZuulFilter(FilterProcessor.java:193)
        ... 106 common frames omitted

On the Auth (uaa) service side, I can check the authentication of the zuul (waharoa) client, get the correct user information, and then print:

17:12:37.288 DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

I assume this means that the auth server did what it needs and responded to the request? It seems that something is not correctly installed in the Zuul service, any suggestions?

-, , , , , . noob spring, ( , , , , ).

2: bean

@Bean
    public OAuth2RestTemplate oauth2RestTemplate(OAuth2ProtectedResourceDetails resource, OAuth2ClientContext context) {
        return new OAuth2RestTemplate(resource, context);
    }

@AlexK, UserDetailsService bean Auth

@Bean
    @Override
    public UserDetailsService userDetailsServiceBean() throws Exception {
        return super.userDetailsServiceBean();
    }

, auth

@Autowired
    private UserDetailsService userDetailsService;

@Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore()).tokenEnhancer(jwtTokenEnhancer())
                .authenticationManager(authenticationManager).userDetailsService(userDetailsService)
            .reuseRefreshTokens(false);
}

. Refresh_token , , , , Zuul.

3:

@AlexK . , , , , UserDetailsService, . Active Directory, , , . () UserDetailsService bean, , 2:

@Bean(name = "ldapUserDetailsService")
public UserDetailsService userDetailsService() {
    FilterBasedLdapUserSearch userSearch = new FilterBasedLdapUserSearch(searchBase, "(sAMAccountName={0})",
            contextSource());
    LdapUserDetailsService result = new LdapUserDetailsService(userSearch);
    result.setUserDetailsMapper(new InetOrgPersonContextMapper());
    return result;
}
+4
1

, Q A

:

  • - OAuth2RestTemplate Zuul/UIApp. Spring ,
  • - OAuth-

_ refresh_token.

P.S. refresh_token, ​​ ! , refresh_token access_token. reuseRefreshTokens (false) AuthorizationServerEndpointsConfigurer auth-server:

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints)
        throws Exception {
    endpoints
        .authenticationManager(authenticationManager)
        .userDetailsService(userDetailsService)
        .reuseRefreshTokens(false); // <--that the key to get new refresh_token at the same time as new access_token
}

+1

Source: https://habr.com/ru/post/1684080/

More articles:


All Articles