I'm implementing an API gateway using micronaut. One of the gateway's responsibility it to handle user authentication. I want to use external IdP to authenticate users and then propagate JWT token to downstream services. I don't want micronaut to generate its own token, I want the token generated by IdP to be used instead.
The security configuration of my gateway service is similar to the described here: https://guides.micronaut.io/latest/micronaut-oauth2-okta-gradle-java.html
In short:
security:
authentication: idtoken
oauth2:
clients:
provider:
client-secret: '${OAUTH_CLIENT_SECRET:yyy}'
client-id: '${OAUTH_CLIENT_ID:xxx}'
openid:
issuer: '${OIDC_ISSUER_DOMAIN}/oauth2'
endpoints:
logout:
get-allowed: true
After successful authentication I get JWT as a cookie and can use it to authorize my requests. Everything works as a charm until now.
The tokens issued by IdP have short validity period and that's the expected behavior. I want to lifespan of JWT to be short and to get new ones using refresh tokens. I'm looking for a way to implement refresh token flow in micronaut.
The perfect solution would be the following:
- both JWT and refresh token are returned after successful authentication as cookies,
- if gateway gets the request with expired JWT it automatically gets new one using refresh token,
- new JWT (and new refresh token if issued) are set as cookies.
The first question is how to configure micronaut to return the refresh token to the caller (like it return JWTs). It's possible to return refresh token generated by micronaut (for example in a cookie), but I didn't find a way to get the refresh token generate by external IdP.
The second question is whether it's possible to configure micronaut to execute the full refresh token flow automatically (it seems like a quite standard problem). Or maybe there is another library that can be used to achieve that goal?
I'll be grateful for any suggestions.