@@ -20,74 +20,6 @@ NOTE: All of the OAuth2 SSO and resource server features moved to Spring Boot
2020in version 1.3. You can find documentation in the
2121https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/[Spring Boot user guide].
2222
23- === Token Relay
24-
25- A Token Relay is where an OAuth2 consumer acts as a Client and
26- forwards the incoming token to outgoing resource requests. The
27- consumer can be a pure Client (like an SSO application) or a Resource
28- Server.
29-
30- ==== Client Token Relay in Spring Cloud Gateway
31-
32- If your app also has a
33- https://cloud.spring.io/spring-cloud-static/current/single/spring-cloud.html#_spring_cloud_gateway[Spring
34- Cloud Gateway] embedded reverse proxy then you
35- can ask it to forward OAuth2 access tokens downstream to the services
36- it is proxying. Thus the SSO app above can be enhanced simply like
37- this:
38-
39- .App.java
40- [source,java]
41- ----
42- @Autowired
43- private TokenRelayGatewayFilterFactory filterFactory;
44-
45- @Bean
46- public RouteLocator customRouteLocator(RouteLocatorBuilder builder) {
47- return builder.routes()
48- .route("resource", r -> r.path("/resource")
49- .filters(f -> f.filter(filterFactory.apply()))
50- .uri("http://localhost:9000"))
51- .build();
52- }
53- ----
54-
55- or this
56-
57- .application.yaml
58- [source,yaml]
59- ----
60- spring:
61- cloud:
62- gateway:
63- routes:
64- - id: resource
65- uri: http://localhost:9000
66- predicates:
67- - Path=/resource
68- filters:
69- - TokenRelay=
70- ----
71-
72- and it will (in addition to logging the user in and grabbing a token)
73- pass the authentication token downstream to the services (in this case
74- `/resource`).
75-
76- To enable this for Spring Cloud Gateway add the following dependencies
77-
78- - `org.springframework.boot:spring-boot-starter-oauth2-client`
79- - `org.springframework.cloud:spring-cloud-starter-security`
80-
81- How does it work? The
82- {githubmaster}/src/main/java/org/springframework/cloud/security/oauth2/gateway/TokenRelayGatewayFilterFactory.java[filter]
83- extracts an access token from the currently authenticated user,
84- and puts it in a request header for the downstream requests.
85-
86- For a full working sample see https://github.com/spring-cloud-samples/sample-gateway-oauth2login[this project].
87-
88- NOTE: The default implementation of `ReactiveOAuth2AuthorizedClientService` used by `TokenRelayGatewayFilterFactory`
89- uses an in-memory data store. You will need to provide your own implementation `ReactiveOAuth2AuthorizedClientService`
90- if you need a more robust solution.
9123
9224==== Client Token Relay
9325
@@ -210,29 +142,3 @@ client that sent you the token), then you only need to create your own
210142Feign clients will also pick up an interceptor that uses the
211143`OAuth2ClientContext` if it is available, so they should also do a
212144token relay anywhere where a `RestTemplate` would.
213-
214- == Configuring Authentication Downstream of a Zuul Proxy
215-
216- You can control the authorization behaviour downstream of an
217- `@EnableZuulProxy` through the `proxy.auth.*` settings. Example:
218-
219- .application.yml
220- [source,yaml]
221- ----
222- proxy:
223- auth:
224- routes:
225- customers: oauth2
226- stores: passthru
227- recommendations: none
228- ----
229-
230- In this example the "customers" service gets an OAuth2 token relay,
231- the "stores" service gets a passthrough (the authorization header is
232- just passed downstream), and the "recommendations" service has its
233- authorization header removed. The default behaviour is to do a token
234- relay if there is a token available, and passthru otherwise.
235-
236- See
237- {githubmaster}/src/main/java/org/springframework/cloud/security/oauth2/proxy/ProxyAuthenticationProperties[
238- ProxyAuthenticationProperties] for full details.
0 commit comments