Is it possible to use Zuul as a "fake" resource server, checking OAuth2 scope before returning proxy'd content?
Something like:
incoming request (with token) -> Zuul proxy + resource server -> internal API (insecure)
The internal API service Could then be freed from any security concerns, with the Zuul proxy service acting as a gateway. All of the above would be Spring applications, if that makes a difference.
absolutely
you have to configure configuration for resource server as well Create a bean ResourceServerConfig that extends ResourceServerConfigurerAdapter and override configure(HttpSecurity security) method. Annotate it with @EnableResourceServer annotation.
something like this
@Configuration
@EnableResourceServer
public class OAuth2ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.and()
.authorizeRequests()
// .antMatchers("/swagger*", "/v2/**")
// .access("#oauth2.hasScope('read')")
.anyRequest()
.permitAll();
}
@Bean
@Primary
public DefaultTokenServices tokenServices() {
DefaultTokenServices defaultTokenServices = new DefaultTokenServices();
defaultTokenServices.setTokenStore(tokenStore());
return defaultTokenServices;
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
// Resource resource = new ClassPathResource("publicKey.txt");
// String publicKey = null;
//
// try {
// publicKey = IOUtils.toString(resource.getInputStream(), Charset.defaultCharset());
// } catch (final IOException e) {
// throw new RuntimeException(e);
// }
// converter.setVerifierKey(publicKey);
return converter;
}
}