Feign and Spring Security 5 – Client Credentials

by

For this to work with Spring Security 5 and Feign you need to have

  • a working Spring Security config
  • a Feign interceptor
  • a Feign configuration using that interceptor
  1. Working Spring Security Config

Here we will register a generic internal-api client for your oauth2 client credentials. This is where you specify the client-id,client-secret, scopes and grant type.
All basic Spring Security 5 stuff. This also involves setting up a provider (here I am using a custom OpenID Connect provider called “yourprovider”

spring:
  security:
    oauth2:
      client:
        registration:
          internal-api:
            provider: yourprovider
            client-id: x
            client-secret: y
            scope:
              - ROLE_ADMIN
            authorization-grant-type: client_credentials
        provider:
          yourprovider:
            issuer-uri: yourprovider.issuer-uri
      resourceserver:
        jwt:
          issuer-uri: yourprovider.issuer-uri

Next you need your feign config. This will use a OAuth2FeignRequestInterceptor

public class ServiceToServiceFeignConfiguration extends AbstractFeignConfiguration {

    @Bean
    public OAuth2FeignRequestInterceptor requestInterceptor() {
        return new OAuth2FeignRequestInterceptor(
                OAuth2AuthorizeRequest.withClientRegistrationId("internal-api")
                        .principal(new AnonymousAuthenticationToken("feignClient", "feignClient", createAuthorityList("ROLE_ANONYMOUS")))
                        .build());
    }
}

And a RequestInterceptor that looks like this :

The OAuth2AuthorizedClientManager is a bean that you can configure in your Configuration

public OAuth2AuthorizedClientManager authorizedClientManager(final ClientRegistrationRepository clientRegistrationRepository, final OAuth2AuthorizedClientService authorizedClientService) {
    return new AuthorizedClientServiceOAuth2AuthorizedClientManager(clientRegistrationRepository, authorizedClientService);
}

The OAuth2AuthorizeRequest is provided by the Feign Configuration above.
The oAuth2AuthorizedClientManager can authorize the oAuth2AuthorizeRequest, get you the access token, and provide it as an Authorization header to the underlying service

public class OAuth2FeignRequestInterceptor implements RequestInterceptor {

    @Inject
    private OAuth2AuthorizedClientManager oAuth2AuthorizedClientManager;

    private OAuth2AuthorizeRequest oAuth2AuthorizeRequest;

    OAuth2FeignRequestInterceptor(OAuth2AuthorizeRequest oAuth2AuthorizeRequest) {
        this.oAuth2AuthorizeRequest = oAuth2AuthorizeRequest;
    }

    @Override
    public void apply(RequestTemplate template) {
        template.header(AUTHORIZATION,getAuthorizationToken());
    }

    private String getAuthorizationToken() {
        final OAuth2AccessToken accessToken = oAuth2AuthorizedClientManager.authorize(oAuth2AuthorizeRequest).getAccessToken();
        return String.format("%s %s", accessToken.getTokenType().getValue(), accessToken.getTokenValue());
    }

}

More Related Contents:

  1. Spring boot Security Disable security
  2. How to dynamically decide access attribute value in Spring Security?
  3. How to use OAuth2RestTemplate?
  4. What’s the difference between @Secured and @PreAuthorize in spring security 3?
  5. Java Spring Security config – multiple authentication providers
  6. Standalone Spring OAuth2 JWT Authorization Server + CORS
  7. Spring Security: how to exclude certain resources?
  8. Multiple roles using @PreAuthorize
  9. Spring security 3.1.4 and ShaPasswordEncoder deprecation
  10. Multiple Authentication Providers in Spring Security
  11. Why Does OAuth v2 Have Both Access and Refresh Tokens?
  12. How to configure CORS in a Spring Boot + Spring Security application?
  13. Filter invoke twice when register as Spring bean
  14. Configure the authorization server endpoint
  15. How to disable spring security for particular url
  16. Facebook login message: “URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings.”
  17. How Spring Security Filter Chain works
  18. How to securely store access token and secret in Android?
  19. Google OAuth API to get user’s email address?
  20. 401 instead of 403 with Spring Boot 2
  21. How to redirect to the homepage if the user accesses the login page after being logged in?
  22. OAuth 2.0: Benefits and use cases — why?
  23. getting exception: No bean named ‘springSecurityFilterChain’ is defined
  24. What exactly is OAuth (Open Authorization)?
  25. Login using Google OAuth 2.0 with C#
  26. How to secure RESTful web services?
  27. How to properly use Bearer tokens?
  28. How to call API (Oauth 1.0)?
  29. How to allow a User only access their own data in Spring Boot / Spring Security?
  30. OAuth Authorization vs Authentication

Leave a Comment