Implement OAuth2 Security for microservices

[ghost]

Since there is a lack of samples on how to secure microservices and this is the most suggested method, it could be a good idea to implement this type of security for communication between microservices and securing them from outside requests

[mszarlinski]

I think that incorporating Spring Cloud Security to our project is a natural follow up of what we already have done here. I am only wondering if securing our demo application wound't make it too complicated. I would like to keep this project as simple as possible, helping people to get started with Spring Cloud. Maybe we should create a separate branch for an OAuth2 version? @arey @dsyer

[ghost]

Agree in keeping the project simple, but would be great to have a branch with the OAuth2 implementation.

[mszarlinski]

Would you like to contribute or to leave implementation to someone else? I think we can go with separate branch first and then decide whether to merge secured version to master.

[ghost]

I would be glad to help as much as I can, but I'm not experienced with oauth2 used in microservices. I wanted to use this as a good base to learn the correct way to implement the service.
I could implement what I know till now and then someone else check for improvements

[mszarlinski]

Hi @ScopeSebastian, any update on this? :)

[pmj0yce]

I'd be interested in contributing to this and other security related items. In particular what I would like to add (as individual tutorial branches) is:
1) Securing microservices secrets with Hashicorp Vault
2) OAuth2 authentication
3) Authorization based on both roles and URL in each service
4) Authorization in Angular UI (or maybe migrate to React with auth).

FWIW I have experience in each of these in my day job. What is the process on this project ? Just go ahead and implement then submit a pull request ? Something else ...?

[arey]

Thank you @pmj0yce for your proposition.
We could have a secure version in a separate branch you'll be in charge to maintain (synchronize with the master branch).
I propose to keep AngularJS. You may go ahead and submit a PR :)

[briceamk]

there is any update about Secure version?

[arey]

We are looking for some contributors. @pmj0yce was interested but I we didn't have any news.

[simrin051]

Hi @arey

Ca i take up this issue. @arey Can you provide an outline on this issue. If i am not wrong i should just implement OAuth2 security for microservices,

[simrin051]

Hi @arey / @dsyer

Can i take up this issue Can you please advice.

[pmj0yce]

I was unable to to take this up due to work changes and then I thought the project was inactive so please don’t hold off taking it up on my account

…

On Oct 21, 2021, at 2:37 PM, simrin051 ***@***.***> wrote:  Hi @arey / @dsyer Can i take up this issue — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[simrin051]

@pmj0yce

Can i go ahead with the issue?

[pmj0yce]

Yes, please do

…

On Oct 22, 2021, at 3:24 PM, simrin051 ***@***.***> wrote:  @pmj0yce Can i go ahead with work? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[simrin051]

@arey / @dsyer
Can you please brief on what is expected out of this task. I am new to OAuth2 and microservices. Can you please brief on what is expected out of this task so that i can code easily. Please. It is an urgent request.

[simrin051]

@arey / @dsyer

May i know whether authentication using google or github is needed for this issue. I have started to work on this issue. Can you please specify the requirements. Please.

[arey]

I'm not an expert in microservices security but I think we could use the Spring Authorization Server https://www.baeldung.com/spring-security-oauth-auth-server.
I propose to secure with a JWT token both the API from the Gateway and the API the 3 microservices : vets, visits and customers.
Keep in mind that this code shoud live in a separate branch.
If it could help, I'm working on the Spring Cloud 2021.0 and Spring Boot 2.6 migration. See #188

[simrin051]

@arey Thanks for the response , the authorization should be for a single user or multiple users with signup and login page. Can you please confirm. Please

[simrin051]

@arey / @pmj0yce Can you please confirm

[simrin051]

@arey / @dsyer / @pmj0yce Can you please confirm. Should i do in memory authentication or database authentication.

[simrin051]

@arey / @dsyer / @pmj0yce Can you please confirm. Should i do in memory authentication or database authentication.

[simrin051]

Hi @dsyer / @arey

when i configure spring security for API Gateway, i get the below error message. I removed starter web dependency and i added javax.xml.bind,javax.servlet dependency still the same error. I am stuck with this from 2 days..Can you please advice.

Caused by: java.lang.IllegalStateException: StandardEngine[Tomcat].StandardHost[localhost].TomcatEmbeddedContext[] failed to start
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.rethrowDeferredStartupExceptions(TomcatWebServer.java:187)
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.initialize(TomcatWebServer.java:126)
... 18 common frames omitted

[488442]

Any news?

[donhuvy]

A near reference web-app without authentication and authorization. Unbelievable.

[arey]

You're right @donhuvy. We have to propose a secured version.
We could use the Spring Authorization Server.
Before starting to work on this issue, we have to clearly define the security architecture.

[donhuvy]

Thank you for your attention.

I based on a video tutorial use Spring Boot 2.x : https://www.youtube.com/watch?v=vNKVm2vTL2Q&t=7261s It is a great tutorial. https://github.com/mohamedYoussfi/spring-security-jwt-oauth2-oidc

You can see https://github.com/donhuvy/spring_boot_3_oauth2/ I used Spring Boot 3. My limitatation skill: I don't know how to use persistent database (PostgreSQL, MySQL, etc), just mimics and use InMemoryUserDetail . If you know how to persistent user information to real SQL database, please fork, and guide me.

We will not use self-sign OAuth as a monolithic web-app. Need an OAuth2 server microservices and many OAuth2 client. I am not pro in topic Spring Security and Spring Cloud Security.

[alexandre-touret]

Hi @arey
FYI I created a workshop using the whole spring boot / cloud stack w/ spring authorization server

https://github.com/alexandre-touret/rest-apis-versioning-workshop

https://github.com/alexandre-touret/rest-apis-versioning-solution

If you want I can implement it in this project

[MarianConstantinMarica]

It's this still available, if yes, can I work on it?

[dsyer]

Please do. My preference would be to add a security layer to the gateway, and make the other apps clients of that (so they need a token and a token relay where appropriate). The auth server could be a Spring Auth Server (so that we control the user ids).

[alexandre-touret]

Hi
I did that in a workshop where I put both spring cloud gateway and spring authorization server in place.

You can get here