This is the 18th day of my participation in Gwen Challenge

Original: Telami’s Blog, welcome to share, reprint please reserve source.

Haha, this is probably typical clickbait

First of all, I happen to be in charge of a sub-project under microservices

Certification center UAA

Authentication center based on Spring-Security-Oauth2, choose this framework is also for the future extension, the first is to facilitate access to the third party login, the second is for others to facilitate access to us, ha ha ha, later small and medium-sized enterprises, you can choose to use wechat login, alipay login, and PIP login…

But good deeds, don’t ask the future, I just paved the way, behind who will go very smooth

The springBoot version is 2.0.4.RELEASE, and the Cloud version is finchley. SR1, which is basically up to date.

Oauth2 appeared in order to solve the problem of trust, to allow a third party client to access the resource owner’s private resources, in the first contact with the agreement, is always not transferred role, always put himself as a user, actually when you to achieve the UAA, you be WeChat, is Google, role transformation, the whole cognitive is very comfortable.

But what does it have to do with Gateway?

All services are under the gateway and are not exposed on the public network. Therefore, UAA is no exception

At the beginning of the design, UAA is both an authentication server and a resource server. In addition, if you add a resource server, you need to add some code to the corresponding microservices subproject.

Whatever the reason, gateway authentication is legitimate, but there are still some problems with gateway and oauth2. Spring members reply that WebFlux seems to support it in Spring5, but the following bug is also reported.

I couldn’t fix the framework, and I wasn’t responsible for the Gateway project, so the next best thing was to let Gateway route and do nothing else.

But!!!!!

The important thing is, in the local test, there is no problem with the whole authentication process, when you go to the test environment, you are stuck in the first step, you can’t get accessToken, you keep returning 401.

After multiple checks, it is almost certain that the gateway intercepts some information, causing the return of 401

Through the gateway

curl --request POST \
  --url 'https://localhost:9016/uaa/oauth/token? username=123456789&password=123456&grant_type=password&scope=USER_INFO&client_id=XnRFHdwI7KmOQ5nZ' \
  --header 'Authorization: Basic WG5SRkhkd0k3S21PUTVuOkM2TzlLbTJORFg4VnRuWnl1ZEFnRjhFNkdTaU8zZWtG'

{
    "timestamp": 1541216762332."status": 401."error": "Unauthorized"."message": "Unauthorized"."path": "/oauth/token"
}
Copy the code

Not through the gateway

curl --request POST \
  --url 'https://localhost:9000/oauth/token? username=123456789&password=123456&grant_type=password&scope=USER_INFO&client_id=XnRFHdwI7KmOQ5nZ' \
  --header 'Authorization: Basic WG5SRkhkd0k3S21PUTVuOkM2TzlLbTJORFg4VnRuWnl1ZEFnRjhFNkdTaU8zZWtG'
{
    "access_token": "cdb2f737-34fa-44ab-aa0d-0e7bbbf91d4c"."token_type": "bearer"."refresh_token": "6b059fa5-d93a-4991-8c1e-46d5b716bc6e"."expires_in": 299."scope": "USER_INFO"
}
Copy the code

All parameters are consistent except the port number, which is 401!!

What’s going on?

The answer:

Gateway wipes out sensitive information without spring-Cloud-OAuth2

Such as:

header 'Authorization: Basic WG5SRkhkd0k3S21PUTVuOkM2TzlLbTJORFg4VnRuWnl1ZEFnRjhFNkdTaU8zZWtG'
Copy the code

I can’t do basic, so of course I’m going back to 401.

So finally, configure gateway not to erase sensitive information

zuul:
  ignored-services: "*"
  routes:
     shop-user: /sys/user/** sensitive-headers:Copy the code