Background
I want to implement the design presented in this article.
It can be summarised by the diagram below:
- The client first authenticate with the IDP (OpenID Connect/OAuth2)
- The IDP returns an access token (opaque token with no user info)
- The client makes a call through the API gateway use the access token in the Authorization header
- The API gateway makes a request to the IDP with the Access Token
- The IDP verifies that the Access Token is valid and returns user information in JSON format
- The API Gateway store the user information in a JWT and sign it with a private key. The JWT is then passed to the downstream service which verifies the JWT using the public key
- If a service must call another service to fulfil the request it passes the JWT along which serves as authentication and authorisation for the request
What I have so far
I have most of that done using:
- Spring cloud as a global framework
- Spring boot to launch individual services
- Netflix Zuul as the API gateway
I have also written a Zuul PRE filter that checks for an Access Token, contacts the IDP and create a JWT. The JWT is then added to the header for the request forwarded to the downstream service.
Problem
Now my question is quite specific to Zuul and its filters. If authentication fails in the API gateway for any reason, how can I can stop the routing and respond directly with a 401 without continuing the filter chain and forwarding the call?
At the moment if authentication fails the filter won't add the JWT to the header and the 401 will come from the downstream service. I was hoping my gateway could prevent this unnecessary call.
I tried to see how I could use com.netflix.zuul.context.RequestContextto do this but the documentation is quite poor and I couldn't find a way.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
