spring cloud gateway + spring security and multiple oauth2 client

Question

I'm going to put a spring cloud gateway in front of some existing web applications which are already using keycloak as their identity provider and I want to authenticate the incoming requests inside the gateway. currently, each web application is already configured with the proper client-id and it redirects to the keycloak with the proper values. now, the gateway must do the authorization-code flow instead of each application, so it has to know in advance which client-is is for which requested url. so, I was investigating how to implement it and I'm still here without any proper solution. what is the solution for it? or, is it really a gateway responsibility to do that?

Answer 1

Actually, I found a solution however I'm not sure whether it's the best one.

 @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
        http
                .authorizeExchange().pathMatchers("/actuator/**").permitAll().and()
                .authorizeExchange().anyExchange().authenticated().and().csrf().disable().oauth2Login()
                .and()
                .exceptionHandling().authenticationEntryPoint(createEntryPoints())
                .and()
                .oauth2ResourceServer().jwt()
                .jwtAuthenticationConverter(grantedAuthoritiesExtractor());
        return http.build();
    }

    public ServerAuthenticationEntryPoint createEntryPoints() {
        List<DelegateEntry> entryPoints = new ArrayList<>();
        entryPoints
                .add(new DelegateEntry(ServerWebExchangeMatchers.pathMatchers("/app1"),
                        new RedirectServerAuthenticationEntryPoint("/oauth2/authorization/client1")));
        //other clients will be added here
        DelegatingServerAuthenticationEntryPoint defaultEntryPoint = new DelegatingServerAuthenticationEntryPoint(
                entryPoints);
        defaultEntryPoint.setDefaultEntryPoint(new HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED));
        return defaultEntryPoint;
    }

so the client1 will be used for the /app1 and so on. as i said earlier i'm not sure and there might be better solution for that.

Answer 2

You can have a look to this answer:

How to create Spring Cloud gateway filter to add client-credentials access token?

In order to support different client-ids (secrets, token-uris and so on), you can just define multiple configurations in the spring.security.oauth2.client .registration section and make the clientid dynamic in the Oauth2ClientGatewayFilter class:

String clientId = ...
OAuth2AuthorizeRequest oAuth2AuthorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId(clientId)
                        .principal("myPrincipal").build();