Using Zuul as an authentication gateway

phoenix7360 picture phoenix7360 · May 12, 2016 · Viewed 26k times · Source

Background

I want to implement the design presented in this article.

It can be summarised by the diagram below: Security Architecture

  1. The client first authenticate with the IDP (OpenID Connect/OAuth2)
  2. The IDP returns an access token (opaque token with no user info)
  3. The client makes a call through the API gateway use the access token in the Authorization header
  4. The API gateway makes a request to the IDP with the Access Token
  5. The IDP verifies that the Access Token is valid and returns user information in JSON format
  6. The API Gateway store the user information in a JWT and sign it with a private key. The JWT is then passed to the downstream service which verifies the JWT using the public key
  7. If a service must call another service to fulfil the request it passes the JWT along which serves as authentication and authorisation for the request

What I have so far

I have most of that done using:

  • Spring cloud as a global framework
  • Spring boot to launch individual services
  • Netflix Zuul as the API gateway

I have also written a Zuul PRE filter that checks for an Access Token, contacts the IDP and create a JWT. The JWT is then added to the header for the request forwarded to the downstream service.

Problem

Now my question is quite specific to Zuul and its filters. If authentication fails in the API gateway for any reason, how can I can stop the routing and respond directly with a 401 without continuing the filter chain and forwarding the call?

At the moment if authentication fails the filter won't add the JWT to the header and the 401 will come from the downstream service. I was hoping my gateway could prevent this unnecessary call.

I tried to see how I could use com.netflix.zuul.context.RequestContextto do this but the documentation is quite poor and I couldn't find a way.

Answer

mbragg02 picture mbragg02 · May 15, 2016

You could try setting setSendZuulResponse(false) in the current context. This should not route the request. You could also call removeRouteHost() from the context, which would achieve the same. You could usesetResponseStatusCode to set the 401 status code.