Skip to content

How-to: In the same microservice supports jdbc token checking. #1066

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zxuanhong opened this issue Feb 13, 2023 · 3 comments
Closed

How-to: In the same microservice supports jdbc token checking. #1066

zxuanhong opened this issue Feb 13, 2023 · 3 comments
Assignees
@sjohnr
Labels
status: declined A suggestion or change that we don't feel we should currently apply type: enhancement A general enhancement

Comments

@zxuanhong
Copy link

zxuanhong commented Feb 13, 2023
edited
Loading

Expected Behavior

  1. In the same microservice. It should be possible to verify the token directly to the same microservice resource server instead of accessing the authorization server through http
  2. Imagine that the service is supposed to be trusted. But once a service interface is accessed, the authorization service is invoked for authentication. This puts a lot of pressure on the authorization server.
  3. I hope I can get some answers. Because a microservice system services trust each other.
@zxuanhong zxuanhong added the type: enhancement A general enhancement label Feb 13, 2023
@zxuanhong zxuanhong changed the title In the same microservice supports JDBC token checking. In the same microservice supports jdbc token checking. Feb 13, 2023
@zxuanhong zxuanhong changed the title In the same microservice supports jdbc token checking. How-to:In the same microservice supports jdbc token checking. Feb 15, 2023
@zxuanhong zxuanhong changed the title How-to:In the same microservice supports jdbc token checking. How-to: In the same microservice supports jdbc token checking. Feb 15, 2023
@sjohnr
Copy link
Contributor

sjohnr commented Feb 16, 2023

Hi @Zxiaozhou! Just to clarify, are you asking (for a how-to guide that demonstrates) how to use opaque tokens (not JWTs) that can be verified via a JDBC connection on a resource server? Something like this?

                                  ┌─────┐
                                  │     │
                     ┌───────────►│ DB  │◄─────────────┐
                     │            │     │              │
                     │            └─────┘              │
                     │                                 │
                     │                                 │
                     │                                 │
┌────────────────────┴────┐                     ┌──────┴──────────────────┐
│                         │                     │                         │
│                         │                     │                         │
│                         │                     │                         │
│ Authz Server            │                     │  Resource Server        │
│                         │                ┌───►│                         │
│                         │                │    │                         │
│                         │                │    │                         │
│                         │                │    │                         │
└──────────┬──────────────┘                │    └─────────────────────────┘
           │                               │
           │                               │
           │                  access_token │
           │                               │
           │ access_token                  │
           │                               │
           │                               │
           │            ┌──────────────────┴──────┐
           │            │                         │
           │            │                         │
           │            │                         │
           │            │                         │
           └───────────►│    Client               │
                        │                         │
                        │                         │
                        │                         │
                        └─────────────────────────┘

Or are you actually asking about the authz server and resource server being the same application (microservice) instead of separate applications?

@zxuanhong
Copy link
Author

zxuanhong commented Feb 17, 2023
edited
Loading

@sjohnr Like this(Because the entire service is absolutely trusted, there is no need to use JWT. This reduces the pressure on auth server)
页-1(3)

@sjohnr
Copy link
Contributor

sjohnr commented Feb 17, 2023
edited
Loading

@Zxiaozhou thanks for the update. However, adding the dashed line doesn't really clear it up for me, because you label everything inside "microservice." Do you mean "microservices" (plural)?

Regardless, I think the main question being asked here is "How do I use opaque tokens?" which is covered in the reference manual (simply set TokenSettings#accessTokenFormat(OAuth2TokenFormat.SELF_CONTAINED) on the RegisteredClient.tokenSettings). You can use the JdbcOAuth2AuthorizationService (or provide your own) to store tokens in the database.

Also, take a look at Configuring and Extending Spring Authorization Server (recent talk from SpringOne Essentials in January, 2023) where we configure and demo use of opaque tokens.

Currently, I'm not sure this pattern you're outlining here is very common. It seems to contradict some of the reasons for choosing OAuth2, though the argument for/against this pattern is probably not productive to hash out here. For that reason, I'm going to close this issue. If the community disagrees and thinks this is a needed use case, please speak up and we can absolutely re-open this issue.

@sjohnr sjohnr closed this as completed Feb 17, 2023
@sjohnr sjohnr self-assigned this Feb 17, 2023
@sjohnr sjohnr added the status: declined A suggestion or change that we don't feel we should currently apply label Feb 17, 2023
@sjohnr sjohnr mentioned this issue Mar 3, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
status: declined A suggestion or change that we don't feel we should currently apply type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sjohnr @zxuanhong