TokenRelay
A Token Relay is where an OAuth2 consumer acts as a Client and forwards the incoming token to outgoing resource requests. The consumer can be a pure Client (like an SSO application) or a Resource Server.
Spring Cloud Gateway can forward OAuth2 access tokens downstream to the services it is proxying. To add this functionality to the gateway, you need to add the TokenRelayGatewayFilterFactory
like this:
or this
and it will (in addition to logging the user in and grabbing a token) pass the authentication token downstream to the services (in this case /resource
).
To enable this for Spring Cloud Gateway add the following dependencies
org.springframework.boot:spring-boot-starter-oauth2-client
How does it work? The {githubmaster}/src/main/java/org/springframework/cloud/gateway/security/TokenRelayGatewayFilterFactory.java[filter] extracts an access token from the currently authenticated user, and puts it in a request header for the downstream requests.
A
TokenRelayGatewayFilterFactory
bean will only be created if the properspring.security.oauth2.client.*
properties are set which will trigger creation of aReactiveClientRegistrationRepository
bean.The default implementation of
ReactiveOAuth2AuthorizedClientService
used byTokenRelayGatewayFilterFactory
uses an in-memory data store. You will need to provide your own implementationReactiveOAuth2AuthorizedClientService
if you need a more robust solution.
Last updated