12 Security: Authorization and auditing

In the previous chapter, I introduced access control systems for cloud native applications. You saw how to add authentication to Edge Service with Spring Security and OpenID Connect, manage the user session life cycle, and address CORS and CSRF concerns when integrating an Angular frontend with Spring Boot.

By delegating the authentication step to Keycloak, Edge Service is not affected by the specific authentication strategy. For example, we used the login form feature offered by Keycloak, but we could also enable social login via GitHub or rely on an existing Active Directory to authenticate users. Edge Service only needs to support OIDC to verify that the authentication happened correctly and get information about the user via an ID Token.

There are still a few issues we haven’t addressed. Polar Bookshop is a distributed system, and after a user authenticates successfully with Keycloak, Edge Service is supposed to interact with Catalog Service and Order Service on behalf of the user. How can we securely propagate the authentication context to the other system applications? This chapter will help you solve that problem using OAuth2 and Access Tokens.

12.1 Authorization and roles with Spring Cloud Gateway and OAuth2

12.1.1 Token relay from Spring Cloud Gateway to other services

12.1.2 Customizing tokens and propagating user roles

12.2 Protecting APIs with Spring Security and OAuth2 (imperative)

12.2.1 Securing Spring Boot as an OAuth2 Resource Server

12.2.2 Role-based access control with Spring Security and JWT

12.2.3 Testing OAuth2 with Spring Security and Testcontainers

12.3 Protecting APIs with Spring Security and OAuth2 (reactive)

12.3.1 Securing Spring Boot as an OAuth2 Resource Server

12.3.2 Testing OAuth2 with Spring Security and Testcontainers

12.4 Protecting and auditing data with Spring Security and Spring Data

12.4.1 Auditing data with Spring Security and Spring Data JDBC