Spring zuul for authorization code grant type


I have been trying to build a spring distributed application that works on JWT. Github repo - https://github.com/dhananjay12/spring-microservice-demo

Service Description

  • product-service : A simple downstream service having protected routes
  • jwt-resoure-server : A jar that when included in downstream services make it a resourceserver that extract jwt token and set it in security contex.
  • eureka-service : Discovery service
  • zuul-server : Edge server
  • Okta is my auth server

I have set oauth grant type to be - Authorization code (I know for spa implicit grant type is recommended but lets say due to some constraint in future we are restricted to this grant type)

So angular client after successfully login, auth server revert back to the angular app with authorization code like :


Now I have to hit auth server with this code to get the access and id token.

Since this requires client secret, I have to pass it through zuul (as only back-end service can have client secrets), which should add client_secret to the body and forward the request to auth server.

I am struggling with this last part. Any insights? Tried creating a TokenFilter, but its not working for post request. https://github.com/dhananjay12/spring-microservice-demo/tree/master/zuul-server/src/main/java/com/mynotes/microservice/zuulserver


Hey @dhananjay12!

I’m not sure I’m following completely. It sounds like there are a few questions in here :slightly_smiling_face:.

Some of this just works out of the box with Spring Security, for example you can setup zuul as your SSO point, and then have that pass the token to your downstream applications. Can you elaborate a little on how you are using Zuul?


The issue is getting the id_token. Let me explain the flow:

  1. Angular app(which have the client_id) has a login button, on click of which okta login page is opened along with the redirect url
  2. On successful authentication okta redirect back to the redirect url with an Authorization code like - http://localhost:4200/?code=iTJkTvXfESQFvGJmio_l&state=my-state

Now I must use this code to get the id_token. For this i need client_credentials which is with my zuul server.

How do I now hit zuul which redirects my request to okata with that client_credentials so that I can get the id_token.


It sounds like your Angular app is rendering the login page, using something like the Okta SignIn Widget? If that is the case you want to look into the SPA/implicit flow.

However if you want to use a code flow (and still have a custom login page) you can do this at the zuul gateway application: https://github.com/okta/samples-java-spring/tree/master/custom-login.
(though I’d suggest starting with the basic redirect flow until you have it working: https://github.com/okta/samples-java-spring/tree/master/okta-hosted-login).

At that point you can use an access token between your applications (assuming you use the @ResourceServer annotation, and things should just work) IIRC Zuul just passes the same access token down stream.

I’m still not 100% sure we are talking about the same thing, sorry in advance, but let us know!