How to add current access token from request to feign call to another microservice

Question

so when a user(client) sends the request through gateway it goes to the secured service which also calls another service which is secured in its call. iv set up the security by oauth and using feign interface to send calls to this service and need to add a header which includes the access token. I tried many ways but all the classes there seem to be deprecated. pls help me

@Component
@Data
public class UserContextFeignInterceptor implements RequestInterceptor {  //adds interceptor to feign clients

    @Override
    public void apply(RequestTemplate template) {
        template.header("tmx-correlation-id", UserContextHolder.getContext().getCorrelationId());
        template.header("tmx-auth-token", UserContextHolder.getContext().getAuthToken());
        template.header("tmx-user-id", UserContextHolder.getContext().getUserId());
        template.header("tmx-organization-id", UserContextHolder.getContext().getOrganizationId());
        template.header("Authentication",);
    }
}

@FeignClient(name = "organization-service", configuration = FeignConfiguration.class) //add the config of which interceptor to use
public interface OrganizationFeignClient {
    @LoadBalanced//spring cloud load balancer(client side)
    @GetMapping("v1/organization/{organizationId}")
    Organization getOrganization(@PathVariable("organizationId") String organizationId);
}

in this how do i add the current access token and what about if the call is schedules and token expires?

Answer 1

I would approach this problem this way

1. Use a request interceptor like you have in your example. Just populate the "Authentication" header with the bearer token:

@Component
public class AuthInterceptor implements RequestInterceptor {

  @Override
  public void apply(RequestTemplate template) {
    template.header("Authorization", "Bearer " + authToken); 
  }

}

Then configure your Feign client to use this interceptor:

@FeignClient(name = "service", configuration = FeignConfig.class)
public interface Client {

  @GetMapping("/api")
  String getData();

}

@Configuration
public class FeignConfig {

  @Bean
  public AuthInterceptor authInterceptor() {
    return new AuthInterceptor();
  }

}

2. then you can Set the token directly on the feign client

feignClient.setBearerToken(authToken);

3. then you can pass the token as a request parameter like this:

@GetMapping("/api?access_token={token}")
String getData(@Param("token") String token);

now for the scheduled tasks where the token may expire, you would need to refresh the token before making the Feign call. You can use an OAuth2RefreshTokenGrant to get a new access token. I would say take a look at OAuth 2.0 Client Credentials flow which uses a token without an expiry for microservice-to-microservice calls.

-- Hope this helps

Answer 2

I have a complete working sample in this project.

The important points are to use:

• a RequestInterceptor (to automatically add the authorization header)
• OAuth2AuthorizedClientRepository inside this interceptor to get a valid token.

Sample in a servlet application:

@Component
@RequiredArgsConstructor
public class ClientBearerRequestInterceptor implements RequestInterceptor {
    private final OAuth2AuthorizedClientRepository authorizedClientRepo;

    @Override
    public void apply(RequestTemplate template) {
        final var auth = SecurityContextHolder.getContext().getAuthentication();
        if (RequestContextHolder.getRequestAttributes() instanceof ServletRequestAttributes servletRequestAttributes) {
            if (auth instanceof OAuth2AuthenticationToken oauth) {
                final var authorizedClient =
                        authorizedClientRepo.loadAuthorizedClient(oauth.getAuthorizedClientRegistrationId(), auth, servletRequestAttributes.getRequest());
                if (authorizedClient != null) {
                    template.header(HttpHeaders.AUTHORIZATION, "Bearer %s".formatted(authorizedClient.getAccessToken().getTokenValue()));
                }
            }
        }
    }
}

This sample illustrates the case where the request should be done on behalf of current user. See doc for other kind of authorization, for instance if you have declared registrations with client_credentials in properties for the service to send a scheduled request in its own name (with the user subject or whatever as parameter).

In Spring Boot apps with @EnableFeignClients, request interceptors decorated with @Component (and in the same or sub package of the app) are auto-detected: no need for explicit conf.