Integrating Spring Cloud Gateway with OAuth2.0 for Unified Authentication and Authorization

This article introduces integrating Spring Cloud Gateway with OAuth2.0 to achieve unified authentication and authorization in a microservice architecture.

Microservice Authentication Schemes

Two common approaches are described: each microservice handles its own authentication, or a centralized gateway performs authentication and authorization while services focus on business logic. The article advocates the second, simpler approach.

Case Architecture

The solution involves four roles: client, gateway, OAuth2.0 authorization server, and a collection of microservices. The request flow includes token acquisition, token validation (signature, expiration, permission check), and forwarding to the target service.

Authentication Service Setup

A dedicated oauth2-cloud-auth-server module is created. It defines JwtTokenUserDetailsService to load users from a simulated database, configures SecurityConfig for JWT handling, and integrates Nacos for service discovery.

Gateway Service Setup

A oauth2-cloud-gateway module is added with required OAuth2.0 dependencies. JWT token handling is configured to match the auth server. Custom implementations of ReactiveAuthenticationManager ( JwtAuthenticationManager ) and ReactiveAuthorizationManager ( JwtAccessManager ) perform token parsing, signature verification, expiration checks, and permission comparison.

Exception and Access‑Denied Handling

Custom RequestAuthenticationEntryPoint and RequestAccessDeniedHandler are implemented to return tailored error messages when tokens are invalid/expired or when the user lacks required permissions.

OAuth2.0 Configuration

The gateway’s security configuration enables WebFlux security ( @EnableWebFluxSecurity ) and defines authentication filters, authorization managers, whitelist rules, and CORS filters.

Global Filter for User Propagation

A global filter extracts user information from the JWT, serializes it to JSON, encrypts it with Base64, and injects it into a request header so downstream services can retrieve the user details.

Order Service Setup

The oauth2-cloud-order-service module adds an AuthenticationFilter to decrypt the user header, and provides two endpoints: /order/login/info (accessible by ROLE_user and ROLE_admin) and /order/login/admin (accessible only by ROLE_admin).

Storing URI‑Permission Mapping in Redis

Permissions for each URI are stored in Redis, allowing the gateway to perform dynamic permission checks without hard‑coding them in services.

Testing

Steps to start all services, obtain a token using the password grant, and call the two order endpoints are shown, demonstrating successful access for authorized roles and proper denial for insufficient permissions.

Conclusion

The article provides a practical example of combining Spring Cloud Gateway with OAuth2.0 for centralized authentication and authorization, while noting that additional production‑grade details remain to be added.