ModelOp Center, adheres to the Spring Security Architecture for OAuth2 applications.
The next diagram provides a high level overview of the internal layers.
ModelOp Center supports ServerHttpSecurity configurations as:
OAuth2Login:
Mainly used by the Gateway, handling browser authentication.
ResourceServer:
Jwt:
Token local validations performed by JWKs.
Opaque:
Token validations performed by introspection; through token introspection resolvers ( in case more than one token introspection defined ).
Opaque-QueryParam.
Securing Microservice to microservice communication
In secured environments, microservice to microservice communication is token protected. This process is internally managed by feign
clients. Feign clients uses an OAuth2 FeignInterceptor
implementation in charge of requesting/refreshing tokens and adding them as headers as part of each request.
To improve performance, our FeignInterceptor
is adding an additional tenant-id header inside request, allowing downstream resource servers (RS) to identify faster the right introspector/token validator to be used at runtime, saving time and resources, specially when used with Opaque environments with multiple OAuth2 idP defined.
Defining a MicroService as Resource Server (RS):
Identify the type of tokens to be supported
Define profiles accordingly
Add required YAML configurations.
Currently, three types of resource servers are supported:
JWT
Opaque Token
Opaque Query Param (This is a non-traditional type of Opaque Token required for one of our clients, and it is not used locally).
All of these resource servers share the following common configurations:
oauth2: feign: client-id: ${modelop.mm.client-id} client-secret: ${modelop.mm.client-secret} access-token-uri: ${modelop.provider.token-uri} scopes: ${modelop.mm.scope} group-base-access: oauth2-group-claim-name: memberOf admin-default-access-group: admin default-access-groups: ${oauth2.group-base-access.default-access-group}
JWT RS configurations
JWT RS is straight forward, only jwt
profile is required.
spring: profile: secured, jwt # Oauth2 Resource server PF Configuration security: oauth2: resourceserver: jwt: issuer-uri: https://authorization.server oauth2: resource-server: jwt: enduser-claimname: endUserClaimName oauth2client-claimname: oauth2ClientName scope-claimname: scp base-conf: enduser-claimname: endUserClaimName oauth2client-claimname: oauth2ClientName
Opaque token RS configurations
At least one default RS opaque configuration is needed under
spring.security.oauth2.resourceserver.opaque-token
, so that related spring OAuth2 dependencies are properly instantiated.
Default configuration example:
spring: profile: secured, opaque # Oauth2 Resource server PF Configuration security: oauth2: resourceserver: opaque-token: #Default opaque introspector introspection-uri: ${modelop.mm.introspection-uri} client-id: ${modelop.mm.client-id} client-secret: ${modelop.mm.client-secret} client-registration-id: springClientRegistrationId
client-registration-id needs to point to a valid spring client registration id.
Adding additional Opaque RS introspectors:
ModelOp Center is able to handle additional Opaque introspectors for token introspection.
These introspectors can be defined under oauth2.resource-server.opaque
:
oauth2: resource-server: opaque: additional-registrations: feign: #clientRegistrationId client-id: "client-id-one" client-secret: "client-secre-onet" introspection-uri: "https://oauth2.provider.one/as/introspect.oauth2" okta-opaque-rs: #clientRegistrationId client-id: "client-id=two" client-secret: "client-secret=two" introspection-uri: "https://oauth2.provider.two/as/introspect.oauth2"
As a rule, each of the additional introspectors defined, need to be mapped with a Spring Client Registration associated with the same clientRegistrationId.
Opaque Query Param
ModelOp Center is able to support and introspect some non-standard OAuth2 idPs. By default ModelOp Center provides an implementation for a Opaque Query Param introspector, that can be defined as:
oauth2: # Values for Resource Servers. resource-server: # Specifically opaque-queryparam is for a specific client needs that supports 2 OAuth2 providers at the same time... opaque-queryparam: queryparam: otoken introspection-uri: https://authorization.server/rs/validate/AppIdClaim