spring-attic / spring-cloud-security

Security concerns for distributed applications implemented in Spring
Apache License 2.0
531 stars 244 forks source link

OAuth2FeignRequestInterceptor support for Spring Security 5 OAuth #173

Open loesak opened 5 years ago

loesak commented 5 years ago

I'm upgrading from Spring Security OAuth to the OAuth support in Spring Security 5. My micro-services previously was using Feign to connect with other micro-services (micro-services are both resource servers and clients) and I was using OAuth2FeignRequestInterceptor to either obtain an token, use an existing token, or pass on a token that the calling micro-service itself received (Token Relay). This no longer seems to work as it appears that OAuth2FeignRequestInterceptor does not yet support Spring Security 5's OAuth support. Is this on the roadmap to add support for or does support already exist?

spencergibb commented 5 years ago

Can you define this more:

This no longer seems to work as it appears that OAuth2FeignRequestInterceptor does not yet support Spring Security 5's OAuth support.

loesak commented 5 years ago

@spencergibb yes. thank you for getting back to me.

I'm currently using org.springframework.cloud:spring-cloud-security:2.1.0.RC3

I've been converting my project to use the new OAuth/OIDC support in Spring Security 5 (org.springframework.security:spring-security-oauth2-client and org.springframework.security:spring-security-oauth2-resource-server) from the previous (org.springframework.security.oauth:spring-security-oauth). I removed spring-security-oauth from my dependency management but it seems that OAuth2FeignRequestInterceptor is still dependent on classes from that project. It's my assumption that the previous OAuth support and the new OAuth support are not compatible together, at least I have not found a way for them to be so.

It seems like other parts of spring-cloud-security are using the new Spring Security 5 support of OAuth. For example org.springframework.cloud.security.oauth2.gateway. But there doesn't seem to be alternatives under org.springframework.cloud.security.oauth2.proxy (Zuul) and org.springframework.cloud.security.oauth2.client for the new OAuth support.

I hope this is clear.

EDIT: I'm also aware that org.springframework.security.oauth:spring-security-oauth has been replaced with spring-security-oauth2-autoconfigure for backwards compatibility but its essentially the same code.

spencergibb commented 5 years ago

Can you please the Greenwich.RELEASE rather than a release candidate?

loesak commented 5 years ago

No difference from what i can tell. The code seems still be relying on the OAuth support from org.springframework.security.oauth:spring-security-oauth2 instead of org.springframework.security:spring-security-oauth2-client and org.springframework.security:spring-security-oauth2-resource-server.

I think the first question that needs to be answered is if the spring-cloud-security OAuth support has been converted to use Spring Security's new OAuth implementations.

Would it be helpful for me to setup a sample project?

spencergibb commented 5 years ago

Sure a sample would be great.

spring-projects-issues commented 5 years ago

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

loesak commented 5 years ago

@spencergibb

Here is the sample project. https://github.com/loesak/spring-cloud-security-173

The README may be a bit off because I changed it over a few iterations. I can clear it up if necessary but the point should be obvious which is I cannot get the OAuth2FeignRequestInterceptor to work with Spring Security 5's new OAuth/OIDC implementation.

mraible commented 5 years ago

Any updates on this issue? I seem to be having the same problem with Spring Security 5.1 where the refresh token is not used to get a new access token. I'm using the following interceptor to get an access token.

https://github.com/oktadeveloper/java-microservices-examples/blob/master/spring-boot+cloud/api-gateway/src/main/java/com/example/apigateway/UserFeignClientInterceptor.java

This part works, but when the token expires, I get no data from my downstream microservice.

cezxx commented 4 years ago

@spencergibb Any updates on this issue? After considering the spring-security-oauth package as deprecated there is no way to provide oauth2 authentication for feign clients. I think that there is a need to update mentioned OAuth2FeignRequestInterceptor or provide some other solution.

loesak commented 3 years ago

For those still needing this, I've created my own implementation here: https://github.com/loesak/spring-security-openfeign It's just supports obtaining a token. No passthrough but that should be easy to add if needed.

There are releases for Spring Security that I've used with 5.1.8 and 5.3.5.

Feel free to use, fork or whatever.

albertocavalcante commented 3 years ago

Is there any update on this? Thanks

loesak commented 3 years ago

Is there any update on this? Thanks

@albertocavalcante Based on the linked merge request, it looks like they're moving the code from spring-cloud-security to spring-cloud-openfeign. Although that merge just brings over the code w/o updating to latest Spring Security.

Based on that, I suspect they'll just close this issue and a new one will have to be created in that repository.

The library I mentioned above is now on Maven Central but may need updating for your needs. Merge Requests are welcome.

sta-szek commented 3 years ago

hi guys, any update? i think i got similar issue. One of my features that uses feign client stopped working, it turned out that security classes are deprecated and there is no easy migration guide (e.g. replace class A with B).

i would like to still use feign client, but if there is no solution i will switch to RestTemplate.

my config looks following (screenshot to see deprecated classes):

Screenshot 2021-09-15 at 15 38 18

no examples at https://docs.spring.io/spring-cloud-openfeign/docs/current/reference/html/