We have an application that is currently using Angular7 + Springboot 1.X microservices.
On the backend, spring-security-oauth is used to vend bearer tokens to the front-end.
We have several microservices that receive tokens and act as resource servers (and have the @EnableResourceServer annotation). These microservices verify tokens through a separate auth service having @EnableAuthorizationServer. Aside from vending the tokens, the Auth service also has a custom token enhancer to include several application-specific, user-level attributes to the token response.
We are now looking to introduce Okta into the equation and plan to use the Okta Signin Widget within the Angular application to retrieve the token from Okta – that token would be then provided to the API tier on all subsequent calls.
I had a few questions to ensure we’re approaching this in a sane way:
- Is there any real need to have a separate auth service at this point since Okta would be acting as the Authorization Server? It seems as if each microservice could be responsible for doing their own validation of the Okta-provided JWT token.
- The latest code within the samples repo has an example resource server that doesn’t exist within the 0.6.1 tagged code – is there a good sample to use for the 1.X vintage of Springboot?
- Any other suggestions or gotchas to consider?