These are chat archives for spring-cloud/spring-cloud

27th
Apr 2017
William Witt
@unamanic
Apr 27 2017 14:01
I'm working on a project that uses an AuthServer TokenEnhancer to add a list of users assigned "clinics". It does so by calling a microservice, that is secured with oauth2. This worked with boot 1.4.2 and Camden.SR3, but does not work in boot 1.5.3 and Dalston.RELEASE.
I tried manually extracting the bearer token from token enhancer and then setting the Authorization header with a RestTemplate, but service responded with an invalid token exception.
Unfortunately, I'm not able to post source, but if someone can give me a shove in the right direction, I would appreciate it.
Dave Syer
@dsyer
Apr 27 2017 15:12
Sorry. Not enough information there really. What is it that "doesn't work"?
William Witt
@unamanic
Apr 27 2017 15:20
@dsyer thanks for the reply, the auth server authenticates but when it attempts to enhance the token with information from another microservice, the rest call fails, with a "full authentication required" error. manually pulling the bearer token out and putting in the header using a request interceptor causes the rest call to fail with an invalid token error.
Dave Syer
@dsyer
Apr 27 2017 15:21
And the token is valid?
Still not with you
William Witt
@unamanic
Apr 27 2017 15:24
It's acting like the token isn't valid until the token enhancer finishes.
so can't be used to authenticate with other micro services (to fetch information to enhance the token), in this case I need to fetch a list of clinics a user has access to.
Dave Syer
@dsyer
Apr 27 2017 15:26
So the backend is what changed?
The token validation
William Witt
@unamanic
Apr 27 2017 15:28
We're doing Spring upgrades across a set of microservices, the only thing that has changed so far is our version of dependencies.
Dave Syer
@dsyer
Apr 27 2017 15:29
Right, but the backend used to return a 200 and now it's a 401 (or 400)?
William Witt
@unamanic
Apr 27 2017 15:30
Yes, but only when called by the auth server for the purpose of token enhancement, calling its other rest endpoints from zuul works fine.
Dave Syer
@dsyer
Apr 27 2017 15:31
So it's getting a token in that case that actually is invalid it seems
William Witt
@unamanic
Apr 27 2017 15:32
after the unenhanced token is returned. We're using feign, so it'll fall back to an empty list of clinics.
Dave Syer
@dsyer
Apr 27 2017 15:34
How is it validating the token?
William Witt
@unamanic
Apr 27 2017 15:34
I can't post the code publicly, but I could do a zoom or skype session if you have some time.
Dave Syer
@dsyer
Apr 27 2017 15:35
I don't think either of those work in linux
William Witt
@unamanic
Apr 27 2017 15:46
The auth server is local to the project. The user authenticates on a login screen hosted on the auth server, during that process it attempts to enhance the token, calling a user microservice, that microservice has its tokenUri and checkTokenUuri set back to the auth server (that called it in the first place). In previous versions, It appears the authserver automagically included the bearer token in that call. In the newer version its not getting included unless I grab it during the TokenEnhancer execution and manually add it to the headers.
Dave Syer
@dsyer
Apr 27 2017 15:53
How is the backend validating the token?
Calling back the the auth server?
When the auth server hasn't finished creating the token?
Sounds like it could easily fail.
William Witt
@unamanic
Apr 27 2017 15:54
The weird thing it that it worked previously.
Dave Syer
@dsyer
Apr 27 2017 15:54
It does seem odd that it ever worked. But I'm not really 100% sure I follow yet.
William Witt
@unamanic
Apr 27 2017 15:56
Is there a "right" way to enhance a token using a microservice? I'm learning ouath as I go on this project.
Dave Syer
@dsyer
Apr 27 2017 15:59
I never really thought about it.
Not relying on the token that you are enhancing seems like a reasonabl rule of thumb.
But it all depends on how the tokens are validated
If the backend doesn't have to ask the auth server for validation, then it should work with any valid token
William Witt
@unamanic
Apr 27 2017 16:13
I'll look into that, otherwise I may have to move this functionality into the api gateway.
Thanks for your help.