I'm reading the article on how to secure my Spring Cloud Gateway with the token relay pattern.
https://spring.io/blog/2019/08/16/securing-services-with-spring-cloud-gateway
See https://static.spring.io/blog/bwilcock/20190801/demo.png
After a user requests a resource, the gateway redirects him to the login page of the identity provider to authenticate himself. On success, the identity provider redirects you back to the original requested resource (the gateway), including the access-token provided by the identity provider.
So now the gateway is secured. Why does the resource-server has to validate the access-token again against the identity provider? Didn't the gateway just validate it? Or didn't it, and the gateway is just there to relay the access-token to the resource-server so he can validate it?
Basically never trust the JWT.
Finally, the Resource Server needs to know where it can find the public keys to validate the authenticity of the access token which it has been given. The UAA provides an endpoint which both the Resource Server and the Gateway rely upon at runtime to do this check. The endpoint is configured in the application.yml for each application
The resource server can never be 100% sure that the access-token was created by the Identity-Provider, or even came from the gateway. So at least, you should make sure that the access-token was signed by the Identity-Provider by using the public key, exposed by a configured endpoint.
