Multiple resource servers with multiple remote token services

[IbrahimAl-Zreqat]

Can I implement more than one RemoteTokenServices in the the resource server, so every resource has it's own client_id and client_secret, I implemented two RemoteTokenServices but the List of ResourceServerConfigurer shows the last RemoteTokenServices added which means there is only one object of the RemoteTokenServices and that means only one client_id and client_secret in the system. is that right?

here is my ResourceServerConfig:

`

    @Configuration
    @EnableWebSecurity
    public class ResourceServerConfig {

    @Bean
protected ResourceServerConfiguration firstResources() {
    ResourceServerConfiguration resources = new ResourceServerConfiguration(){
        @Override
        public void setConfigurers(List<ResourceServerConfigurer> configurers) {
            super.setConfigurers(configurers);
        }

    };
    resources.setOrder(4);
    resources.setConfigurers(Arrays.asList(getFirstConfigrers()));
    return resources;
}

@Bean
protected ResourceServerConfiguration secondResources() {
    ResourceServerConfiguration resources = new ResourceServerConfiguration(){
        @Override
        public void setConfigurers(List<ResourceServerConfigurer> configurers) {
            super.setConfigurers(configurers);
        }

    };
    resources.setOrder(5);
    resources.setConfigurers(Arrays.asList(getSecondConfigrers()));
    return resources;
}

private ResourceServerConfigurer getFirstConfigrers(){
    ResourceServerConfigurer integration = new ResourceServerConfigurerAdapter() {

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
            resources.resourceId("test1").tokenServices(firstTokenServices());
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http.anonymous().disable()
            .authorizeRequests().antMatchers("/Test1/**").hasAuthority("ADMIN");
        }

    };

    return integration;
}

private ResourceServerConfigurer getSecondConfigrers(){
    ResourceServerConfigurer validation = new ResourceServerConfigurerAdapter() {

        @Override
        public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
            resources.resourceId("test2").tokenServices(secondTokenServices());
        }

        @Override
        public void configure(HttpSecurity http) throws Exception {
            http.anonymous().disable()
            .authorizeRequests().antMatchers("/Test2/**").hasAuthority("ADMIN");
        }

    };

    return validation;
}

@Bean()
@Primary
protected RemoteTokenServices firstTokenServices(){
    RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
    remoteTokenServices.setCheckTokenEndpointUrl("http://localhost:8080/oauth-server/oauth/check_token");
    remoteTokenServices.setClientId("first");
    remoteTokenServices.setClientSecret("secret");
    return remoteTokenServices;
}

    @Bean()
protected RemoteTokenServices secondTokenServices(){
    RemoteTokenServices remoteTokenServices = new RemoteTokenServices();
    remoteTokenServices.setCheckTokenEndpointUrl("http://localhost:8080/oauth-server/oauth/check_token");
    remoteTokenServices.setClientId("second");
    remoteTokenServices.setClientSecret("secret");
    return remoteTokenServices;
}}

`

[vikramcc2017]

We are looking for something similar, please share if you found a solution. thanks.

[vikramcc2017]

@dsyer could you please let us if the above is possible. In our scenario we are securing api's by two auth servers in one spring boot application. i.e. 1) /api/user/ - this api is secured by internal auth server(e.g. our internal auth server). the token needs to be validated against our internal auth server 2) /api/movies/ - this api is secured by external auth server(e.g. okta). token needs to be validated against external auth server

[dsyer]

There’s a sample with multiple resource servers in this project I think https://github.com/spring-projects/spring-security-oauth/blob/master/tests/annotation/multi/README.md. But you might be better off using https://github.com/spring-projects/spring-security since this project is now in maintenance mode.

[DeCaMil]

It's bleeding edge, having been merged ~5 days ago in https://github.com/spring-projects/spring-security/pull/6977, but MultiTenantAuthenticationManagerResolver looks like just the piece you need.

[vikramcc2017]

thanks @DeCaMil we will look into it.

[jannik-mohemian]

FYI MultiTenantAuthenticationManagerResolver was removed from the spring-projects repo until further notice (https://github.com/spring-projects/spring-security/issues/7259)

[apatelWU]

@vikramcc2017 - Have find a solution for this? I'm stuck in same scenario except will be using same endpoints going against both resource server i.e.

1. /api/** - this api is secured by internal auth server(e.g. our internal auth server). the token needs to be validated against our internal auth server (if failed then go against 2nd)
2. /api/** - this api is secured by external auth server(okta). token needs to be validated against external auth server

[vikramcc2017]

@apatelWU we used both Spring Security OAuth and Spring Security for Resource server and configured security for end points

refer to Resource server support section https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Features-Matrix

[apatelWU]

For this, I will have to create multiple resource server with different filter-order (internal=3 & external= 4), and have both resource server(internal and external) refers to same endpoint (/api/**). In this case, if the token is coming from external auth server(OKTA) which will be validate against internal resource server due to priority and same endpoint resulting always in "INVALID TOKEN ERROR"

[destefanelli]

Did anyone find a solution for this using the same resource server?