Secure a Spring Microservices Architecture with OAuth

Secure a Spring Microservices Architecture with OAuth

Secure a Spring microservices architecture with Spring Security and OAuth + this tutorial. No Okta SDKs required!

Oleksandr Hubachov

One interesting thing I found during this tutorial. Steps to reproduce:
1. Run eureka-service
2. Run edge-service
3. Run beer-catalog
4. Open http://localhost:8081/good-beers, login and than see empty list of beers. During debug I found that BeerClient.readBeers() throws an error.
5. Open http://localhost:8081/home - everything are OK.
6. Open http://localhost:8081/good-beers - see list of beers.
Question - why this happens? how to fetch user info automatically if this is not present in session?

Matt Raible

Hello Oleksandr - I was able to reproduce the issue you mention here. I’m not sure why it happens, but I’m guessing it’s because there’s no authorization header sent after the redirect. If you use the Angular client, everything should work as expected.

Rohit Patil

Hello, How to write this code using SAML ? Do we have some documentation with the below approach:
1. Frontend: Angular/ReactJs or any other platform
2. Backend: Spring boot + Spring security + JWT + SAML + OKTA

Kindly help !

Matt Raible

Why do you want to use SAML? OIDC is much more capable and can work with many use cases beyond the browser.

Rohit Patil

Thanks for a quick reply Matt !!
This is what we need to use as our client wants this :slight_smile: I have seen your tutorial regarding SAML and implemented web based project referring to that. But client now wants to have two different projects. One for frontend and other for backend(now we need rest services)

Matt Raible

I’m sorry, I don’t know how to implement this same architecture with SAML. You could try posting your question to our Developer Forums.


Great article! Thanks a lot for sharing, Matt! The most important thing I take with me is the use of

HttpSecurity.requestMatcher(.) to enable multiple security configurations.

One question: the configure(.) method on the edge service uses “antMatchers(”/**").authenticated()" whereas the beer service uses "anyRequest().fullyAuthenticated().
I would think that this is mostly the same (except that fullyAuthenticated doesn’t accept “remembered” users). Why the difference?

Matt Raible

Thanks Ben - I’m glad you like it!

I believe antMatchers("/**") and anyRequest() mean the same thing. As for authenticated() vs fullyAuthenticated() it appears the latter results in true if the user did not use remember me to authenticate.

Langton Favor Rebel Mudyiwa

Hie Mattie , thanx for the tutorial on React and springboot

but i am runnung into a number of bugs since i understand react with JSX so now when i change my App.jsx to App.Tsx my code will not be readable since interfaces are for typescript, is there away around intefaces so my code will be read by jsx

because changing to tsx i am getting an error

Module build failed: Error: ENOENT: no such file or directory, open ‘C:\Users\MR L\Downloads\MyEclipse\React\SpringReactdemo\src\me\src\App.jsx’"

and i am struggling, thank you

Matt Raible

React is not a part of this particular tutorial. Can you please post your question to our Developer Forums? I’d be happy to answer it there.


Dear Matt,

Excellent article as usual!

I have followed it with my own small service and adapted for Spring Boot 1.5.x. But I am facing the issue where I am prompted to login with the browser’s basic authentication dialog after I entered by okta credentials from the Okta domain. It looks like it is the service that requires the basic authentication but I don’t see how to remove it.

Thank you!

Matt Raible

Can you please try the example on GitHub and see if you can reproduce the problem? If not, I’d suggest comparing your code with the example and see if you can figure out what’s different. SmartSynchronize can work well for comparing two different directories.


Thank you Matt. I’ve tried again this morning and it worked. I will look at the example to double check I am not doing anything wrong…

Joe ONeil

Can a custom Login screen be done with this ? I have tried some of the custom logins example but when combined with this example I can not get them to work

Matt Raible

Hello Joe,

You should be able to customize the login screen that’s hosted on Okta. You’ll need to log in to your dashboard, then go to Customization > Signin Page. You can play with customization settings and see your changes in real-time at….

Tharaka De Silva

@mattraible Amazing guide!! However, in order to have the Authorization header forwarded from the zuul proxy to the “/home” service, I had to add the following to the application.yml in my zuul proxy application:


Is there a better way to proceed here?

Matt Raible

This seems to be caused by an issue that happens when upgrading from Spring Boot 2.0.3 to 2.0.4. It affects affects JHipster 5.2.0 as well. A workaround seems to be:

sensitive-headers: Cookie,Set-Cookie #see Finchley.SR1 Authorization Header is not being forward · Issue #3126 · spring-cloud/spring-cloud-netflix · GitHub

Matt Raible

I updated this post to include zuul.sensitive-headers=Cookie,Set-Cookie.

Jayesh Mulwani

Hi @mattraible , Thanks for the wonderful article.
I have a question, it seems if i hit beer-catalog-service directly from a client then it shouldn’t allow me access to it unless i have an authorization tag in the header, Can you please confirm on this ? because in my case i can access /beers with the direct URL without having to pass an authorization header,