These are chat archives for spring-cloud/spring-cloud

31st
May 2016
litzuhsien
@litzuhsien
May 31 2016 02:49
h
Michael Rumpf
@mrumpf
May 31 2016 07:46
Hi. Is there a way to dynamically forward any request on a Zuul proxy to /<spring.application.name> to the service with this name? I do not want to extend the configuration each time a new microservice appears with a mapping under zuul.routes.*
Dave Syer
@dsyer
May 31 2016 08:46
Isn't that the default if you have service discovery?
Dieter Hubau
@Turbots
May 31 2016 08:50
If you use Eureka for service discovery, the Zuul gateway will indeed retrieve all registered applications and automatically route exactly as your describe @mrumpf Im not sure about other service discovery solutions, havent used them
Dave Syer
@dsyer
May 31 2016 08:59
They are all the same
Michael Rumpf
@mrumpf
May 31 2016 09:31
I'm currently looking at the code and DiscoveryClientRouteLocator.locateRoutes() and also got the imression that this is already implemented...
Michael Rumpf
@mrumpf
May 31 2016 10:32
OK, I have it working. The documentation of Zuul covers the static configuration only. In the sidecar chapter there is some hint that all discovered services are available via the ZuulProxy. I got the final hint from the Actuator endpoint: http://localhost:8641/management/routes where you can see all dynamically registered routes. This endpoint is not mentioned in the Zuul documentation which makes it a bit hard to find at the moment.
David Steiman
@xetys
May 31 2016 11:01
hey guys....I am currently looking for a way to make feign not only loadbalancing the service url, like @FeignClient('serviceName'), but also the url of the oauth2 authorization server. I am passing this data using OAuth2ProtectedResourceDetails and there the "accessTokenUri"
i already tried to
security:
    oauth2:
        resource:
            loadBalanced: true
Pedro Vilaça
@pmvilaca
May 31 2016 11:07
@xetys how do you want to have load balancing when you’re just defining a url?
feign client load balancing will happen just when you’re using a list of servers and not a url
(I think)
David Steiman
@xetys
May 31 2016 11:08
i only found the way of defining a OAuth2ProtectedResourceDetails bean for this
initially I have got a spring cloud application with @EnableServiceDiscovery and ribbon enabled in application.yml
adding @EnableFeignClients allows me to use feign only for unsecured services
Pedro Vilaça
@pmvilaca
May 31 2016 11:10
and you’ve more that one machine running the authorization service, without a loadbalancer in front of those machines and you want to have some load balancing on the requests, that’s it?
David Steiman
@xetys
May 31 2016 11:10
so i added a new oauth2 to my "uaa" Service, and want feign to use client credentials grant for interservice communication
Pedro Vilaça
@pmvilaca
May 31 2016 11:11
ah.. ok
so, you want to use Oauth2RestTemplate for the communication, right?
David Steiman
@xetys
May 31 2016 11:11
my eureka is showing "uaa" (OAuth2 auth server), "app1" and "app2", (and a zuul, but this isn't relevant)
i want to setup the configuration in a way, i just have to declare the feign interfaces, which are automatically works with a defined oauth2 client
which works, when i provide the uri hard code
this uri should be load balanced
Pedro Vilaça
@pmvilaca
May 31 2016 11:14
@xetys - add this configuration bean
@Configuration
public class OAuth2RequestInterceptorConfig {

    @Autowired
    private OAuth2ClientContext oAuth2ClientContext;

    @Autowired
    private OAuth2ProtectedResourceDetails oAuth2ProtectedResourceDetails;

    @Bean
    public RequestInterceptor oAuth2FeignRequestInterceptor() {
        return new OAuth2FeignRequestInterceptor(oAuth2ClientContext, oAuth2ProtectedResourceDetails);
    }
}
David Steiman
@xetys
May 31 2016 11:15
and pass the client credentials in security.oauth2.resource?
Pedro Vilaça
@pmvilaca
May 31 2016 11:17
pass the config like it’s described in the docs
spring:
  oauth2:
    client:
      clientId: bd1c0a783ccdd1c9b9e4
      clientSecret: 1a9030fbca47a5b2c28e92f19050bb77824b5ad1
      accessTokenUri: https://github.com/login/oauth/access_token
      userAuthorizationUri: https://github.com/login/oauth/authorize
      clientAuthenticationScheme: form
    resource:
      userInfoUri: https://api.github.com/user
      preferTokenInfo: false
David Steiman
@xetys
May 31 2016 11:18
just a moment, i will try
Pedro Vilaça
@pmvilaca
May 31 2016 11:18
@xetys - regarding the load balancing.. take a look at this class OAuth2LoadBalancerClientAutoConfiguration
David Steiman
@xetys
May 31 2016 11:19
i already did, but didn't found a way to use it the right way
Error creating bean with name 'scopedTarget.oauth2ClientContext': Scope 'request' is not active for the current thread;
i definitly did something wrong in the configuration
security:
    oauth2:
        client:
            clientId: internal
            clientSecret: internal
            access-token-uri: http://uaa/oauth/token
        resource:
            loadBalanced: true
            token-info-uri: http://uaa/oauth/token
David Steiman
@xetys
May 31 2016 11:24
uaa is the name my oauth2 service appears in eureka
Dave Syer
@dsyer
May 31 2016 11:24
That error is unrelated I think
David Steiman
@xetys
May 31 2016 11:25
ok...this is what i got when i try to access the client
Dave Syer
@dsyer
May 31 2016 11:25
There is no load balancer support for the OAuth client access to the auth server
David Steiman
@xetys
May 31 2016 11:25
ok, what would be the best way to do it
if I run it locally, i can just pass zuuls url like "localhost:8080/uaa/oauth/token" to config
which is not working in clouds....and regarding this, it is not the elegent way to ask zuul, which asks eureka by itself....
when any service could load balance the UAA uri by its own....
David Steiman
@xetys
May 31 2016 11:38
any suggestions?
Dave Syer
@dsyer
May 31 2016 11:52
I guess you could create your own token provider.
David Steiman
@xetys
May 31 2016 11:54
is there a way do define a bean for the custom token provider, which will hook into the OAuth2LoadBalancerClientAutoConfiguration (or the underlying systems)?
Dave Syer
@dsyer
May 31 2016 11:54
IIRC there's a github issue somewhere (spring-cloud-security maybe).
David Steiman
@xetys
May 31 2016 12:00
they did it by using a RestTemplateCustomizer like this
 @Override
    public void customize(OAuth2RestTemplate template) {
        template.setRequestFactory(ribbonClientHttpRequestFactory);
    }
but no idea how he injected it properly
David Steiman
@xetys
May 31 2016 12:19
@Configuration
public class UserInfoLoadBalancerConfiguration {
    Logger log = LoggerFactory.getLogger(UserInfoLoadBalancerConfiguration.class);

    @Bean(name = "uselessBean")
    public Object uselessBean() {
        log.info("INSTALLED USELESS BEAN");
        return new Object();
    }

    @Bean
    public UserInfoRestTemplateCustomizer loadBalancedUserInfoRestTemplateCustomizer() {
        log.info("INSTALLED RIBBON HTTP REQUEST FACTORY");

        return new UserInfoRestTemplateCustomizer() {
            @Autowired
            public RibbonClientHttpRequestFactory ribbonClientHttpRequestFactory;

            @Override
            public void customize(OAuth2RestTemplate restTemplate) {
                restTemplate.setRequestFactory(ribbonClientHttpRequestFactory);
            }
        };
    }
}
the customizer is not injected at any time....anyone knows why?
Dave Syer
@dsyer
May 31 2016 12:41
that's for the user info though
Not the access token provider
Dave Syer
@dsyer
May 31 2016 14:02
I guess maybe you could inject an AccessTokeProvider there.
but I'm not sure what you meant by "is not injected"
David Steiman
@xetys
May 31 2016 15:07
the problem is, that OAuth2FeignRequestInterceptor is not injecting the providers, but configuring it manually by creating the instanced by it self
i found some workaround for now, which may be dirty, but its working:
@Component
public class LoadBalancedResourceDetails extends ClientCredentialsResourceDetails {

    @Autowired
    public LoadBalancedResourceDetails(JHipsterProperties jHipsterProperties) {
        this.jHipsterProperties = jHipsterProperties;

        setAccessTokenUri(jHipsterProperties.getSecurity().getClientAuthorization().getTokenUrl());
        setClientId(jHipsterProperties.getSecurity().getClientAuthorization().getClientId());
        setClientSecret(jHipsterProperties.getSecurity().getClientAuthorization().getClientSecret());
        setGrantType("client_credentials");

    }

    private LoadBalancerClient loadBalancerClient;

    private JHipsterProperties jHipsterProperties;


    @Autowired(required = false)
    public void setLoadBalancerClient(LoadBalancerClient loadBalancerClient) {
        this.loadBalancerClient = loadBalancerClient;
    }

    @Override
    public String getAccessTokenUri() {
        String serviceName = jHipsterProperties.getSecurity().getClientAuthorization().getTokenServiceId();
        if (loadBalancerClient != null && !serviceName.isEmpty()) {
            String newUrl;
            try {
                newUrl = loadBalancerClient.reconstructURI(
                    loadBalancerClient.choose(serviceName),
                    new URI(super.getAccessTokenUri())
                ).toString();

                return newUrl;
            } catch (URISyntaxException e) {
                e.printStackTrace();

                return super.getAccessTokenUri();
            }
        } else {
            return super.getAccessTokenUri();
        }
    }
}
and injecting this as OAuth2ProtectedResourceDetails into feigns interceptor
it's maybe not the best and elegant way, but....i don't see other ways right now :D
Dave Syer
@dsyer
May 31 2016 15:34
How did we get from access token providers to feign clients? I guess I missed something right at the beginning. If you only need client credentials grant, then what you have looks fine to me.
David Steiman
@xetys
May 31 2016 15:35
    private AccessTokenProvider accessTokenProvider = new AccessTokenProviderChain(Arrays
            .<AccessTokenProvider> asList(new AuthorizationCodeAccessTokenProvider(),
                    new ImplicitAccessTokenProvider(),
                    new ResourceOwnerPasswordAccessTokenProvider(),
                    new ClientCredentialsAccessTokenProvider()));
i dont see a way to inject the provider
but i am a spring newbie as well
:)
Dave Syer
@dsyer
May 31 2016 17:06
You don't need it, if what you have works.
David Steiman
@xetys
May 31 2016 17:58
what i have works, but it not looks like it should...you know?
it could be implemented similar for implicit/authorize grant, but it would be cooler if this is just an config option, like security.oauth2.resource.loadBalanced=true and security.oauth2.resource.serviceId=MyAuthorizationServer, what is usefull for everyone building an internal uaa
Dave Syer
@dsyer
May 31 2016 18:03
Fine. Stick a comment on that github issue.
David Steiman
@xetys
May 31 2016 18:04
i could also try to PR this, if this is fine
Dave Syer
@dsyer
May 31 2016 18:05
You could.
If you feel confident, go ahead.