Secure Spring Cloud Microservices with the New Spring Authorization Server

Solution

The Spring Security OAuth2 project is no longer maintained, yet most Spring Cloud microservice projects still rely on it. The newest solution in the Spring ecosystem is to use a Spring Authorization Server (Id Server) together with Spring Cloud Gateway and a Resource Server.

Authentication Flow

User requests login or a protected resource through the gateway.

The gateway detects the lack of authorization and initiates an OAuth2/OIDC authorization‑code flow with the Id Server.

The Id Server redirects the user to a login page for credential verification.

User enters username and password.

After successful authentication, the Id Server redirects back to the gateway with an OAuth2 redirect URI, completing the standard OIDC authorization‑code flow.

The gateway receives an AccessToken and an IdToken .

The resource server processes the request using the tokens.

Note: The generated AccessToken and IdToken must never be exposed to the client side; a cookie‑based strategy is used by default.

Implementation Details

Spring Cloud Gateway

The gateway runs on port 8080 and registers as an OAuth2 client with the Id Server. Core configuration:

spring:
  application:
    name: gateway
  security:
    oauth2:
      client:
        registration:
          gatewayclient:
            client-id: e4da4a32-592b-46f0-ae1d-784310e88423
            client-secret: secret
            redirect-uri: http://127.0.0.1:8080/login/oauth2/code/gatewayclient
            authorization-grant-type: authorization_code
            client-authentication-method: client_secret_basic
            scope: message.write,userinfo,message.read,openid
        provider:
          gatewayclient:
            issuer-uri: http://localhost:9000
  cloud:
    gateway:
      routes:
        - id: resource-server
          uri: http://127.0.0.1:8084
          predicates:
            - Path=/res/**
          filters:
            - TokenRelay

Resource Server

The resource server runs on port 8084 and integrates Spring Security Resource Server. Example of securing an endpoint:

// Only users with scope message.read can access /res/foo
httpSecurity.authorizeRequests()
    .antMatchers("/res/foo").hasAnyAuthority("SCOPE_message.read")

It also retrieves the JWT public key from the Id Server:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: http://localhost:9000/oauth2/jwks

Id Server

The Id Server is an open‑source authorization server built on Spring Authorization Server. It provides a UI console, dynamic permission control, and supports four client authentication methods and three grant types. It can also act as an IDP for third‑party logins.

Demo and Usage

The complete demo resides in the samples directory of the Id Server repository. To run it:

Clone the Id Server project and load its dependencies.

In IntelliJ IDEA, right‑click each pom.xml under samples and select “Add As Maven Project”.

Start the Id Server, the gateway, and the resource server in that order.

Test Login

Open a browser to http://127.0.0.1:8080/login and follow the redirect to http://localhost:9000.

Log in with user/user.

Successful authentication shows user info (do not expose this in production).

Access http://127.0.0.1:8080/res/foo to reach the protected resource.

Another Test

Close and reopen the browser, then visit http://127.0.0.1:8080/res/foo to observe the behavior without an active session.

Conclusion

By combining an OAuth2 client, Spring Cloud Gateway, an OAuth2 authorization server, and an OAuth2 resource server, you can implement a complete and secure microservice authentication flow using the authorization‑code grant, which is far safer than the deprecated password grant. Future extensions of the Id Server will enable seamless third‑party logins.