Spring boot OIDC Refresh token scenario
We are currently working on application having micro-service architecture with following components as shown in below image and everything is working fine.However need some clarification on following points.
- To secure communication between Gateway and Deep microservice we are passing IDToken and validating it at each microservice level however once IDtoken expires service returns 401 status code and then on Ui we trigger authorization flow which eventually results in full page refresh and if user in middle of submitting very large form then all the data will be lost moroever as per OIDC specificition we can't refresh ID token so not sure how to handle this scenario.
To overcome first problem we could pass access_token to microservice rather than idtoken however we need to call
/userinfoend point each time for getting user information from provider and considering high concurrency is it a good practice to proceed with ?Or we are missing something here and there are better alternatives to fix this problem ?
Any help would be much appreciated
Spring boot OIDC Properties in application.yml file
security:
oauth2:
client:
registration:
pingIdentity:
scope:
- openid
- profile
- email
- phone
- job_title
- scoped_entitlement
- authorization_group
- entitlement_group
- organizational_data
- basic_start_authorization
client-id: <Client ID>
client-secret: <Client Secret>
provider: pingIdentity
provider:
pingIdentity:
issuer-uri: <Issuer URI>
I think there is a problem of concept using open id connect.
Open id connect is not an authentication/authorization protocol as oauth2, it is a layer on top of oauth2 to provide user information to a client.
So the intended audience for the information contained in an idtoken is the application which is trying to consume a resource (frontend) and not the resource server (microservice). As you can see here
https://openid.net/specs/openid-connect-core-1_0.html
The token that must be send to the microservice is the access token that is issued along with the idtoken, because this is the token that must be used to authorize the action.
Other problem is that you may need user information to perform some action in the service but this is not part of the same flow.
The authentication/authorization flow only assures that one user is valid and has privileges to do certain action on certain resource server(microservice)
If then, when the auth proceess has ended, you need to obtain user information, I suggest you three possible solutions:
you can use a jwt token (self encoded access token) as access token instead of an opaque one, so you can obtain the user id in sub claim, and with that, query the user service to obtain the other information.
Like the point one, you can use jwt acces token and in addition add custom claims to store additional user information
if you are doing the acces token validation in zuul gateway, you can get user information in the gateway and pass a custom jwt to the microservices with the info you need. This token does not need to be an access token because the authentication/authorization operation has been done by the gateway.
This way you can refresh your access tokens without problem
- 'wsimport' is not recognized error in command prompt
- Best way to compare two JSON files in Java
- Java get month sort name from date
- Obtain and download Javadoc (JDK API documentation) to a local file for offline reading
- How to get the number of days in a specific month using Java Calendar?
- Custom Spring annotation for request parameters
- License for package Android SDK Platform 29 not accepted
- Java Compile Time Error: reached end of file while parsing
- ShellIpcClient and NonCelloThread errors java
- How to verify a signature from the Phantom wallet?
- FirebaseAuth - Get tokenId in Java backend
- How to hide constructor on a Java record that offers a public static factory method?
- Is it possible to get MariaDB4J to work on an M1 Mac?
- Cannot run simple compiled java program?
- Getting IntelliJ to generate Java Sources from Proto files
- Insert a java string constant in a quarkus qute template?
- Why is the run button not working in Eclipse?
- Stuck on Card/Deck exercise from Java official tutorial
- Spring Batch - Deleting metadata post job completion throws error - Incorrect result size: expected 1, actual 0
- Simple export and import of a SQLite database on Android
- How to serialize a date to a specific format?
- How to make the Youtube's rotating spinner loading screen on Java Swing
- How to sort List<Integer[]> in java?
- How to prevent spring boot from auto creating instance of bean 'entityManagerFactory' at startup?
- Sharing instance of a class between multiple tests running in parallel in Junit5
- Launch4J not recognizing Eclipse Temurin OpenJDK Java 17
- Turn my stack into a string?
- How can I document or exclude the generated BuildConfig class in my documentation?
- Is it a bad practice to catch Throwable?
- Java: Right Click Copy Cut Paste On TextField