OAuth2 authentication betwwen registry and gateway

[DenisThomas]

jhipster info for the gateway :

JHipster Version(s)

[email protected] /home/denis/testws/gw
└── [email protected] 

JHipster configuration, a .yo-rc.json file generated in the root folder

.yo-rc.json file

{
    "generator-jhipster": {
        "promptValues": {
            "packageName": "com.ins.gw",
            "nativeLanguage": "en"
        },
        "jhipsterVersion": "5.8.2",
        "applicationType": "gateway",
        "baseName": "gw",
        "packageName": "com.ins.gw",
        "packageFolder": "com/ins/gw",
        "serverPort": "8080",
        "authenticationType": "oauth2",
        "cacheProvider": "hazelcast",
        "enableHibernateCache": true,
        "websocket": false,
        "databaseType": "sql",
        "devDatabaseType": "h2Memory",
        "prodDatabaseType": "postgresql",
        "searchEngine": false,
        "messageBroker": false,
        "serviceDiscoveryType": "eureka",
        "buildTool": "maven",
        "enableSwaggerCodegen": false,
        "clientFramework": "angularX",
        "useSass": true,
        "clientPackageManager": "npm",
        "testFrameworks": [],
        "jhiPrefix": "jhi",
        "entitySuffix": "",
        "dtoSuffix": "DTO",
        "otherModules": [],
        "enableTranslation": true,
        "nativeLanguage": "en",
        "languages": ["en", "fr"]
    }
}

JDL for the Entity configuration(s) entityName.json files generated in the .jhipster directory

JDL entity definitions

Environment and Tools

java version "1.8.0_201"
Java(TM) SE Runtime Environment (build 1.8.0_201-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.201-b09, mixed mode)

git version 2.17.1

node: v9.0.0

npm: 5.5.1

yarn: 1.7.0

Docker version 18.09.2, build 6247962

docker-compose version 1.17.1, build unknown

Overview of the issue

This issue concerns authentication between registry and gateway with keycloak. We have to be authenticated on gateway and registry to view configuration or metrics of gateway in registry.

Motivation for or Use Case

Authentication between registry and gateway is unstable with keycloak. In some cases, registry send a 401 error on /login...

Reproduce the error

• Start a keycloak server : tested with version 5.0.0 and docker image jboss/keycloak:3.3.0.CR2-3
• Start registry, version 4.1.1
• Start gateway
• Login on registry : we are redirect on keycloak, and after authentication, we return on registry home page as admin
• We see gateway is up
• Go on Administration/configuration, select gateway
• We get a 302 redirection from gateway_url/management/env to gateway_url/login, producing a new redirect to keycloak login page
• On same browser, connect to gateway and login
• On registry, go on configuration of gateway, it works
• On registry, click on logout button : we go on home page, but still connected
• On registry, we click again on logout : we are disconnected, on page with sign in button.
• On gateway, click on sign out : we are disconnected
• On registry, try to login : we get a 401 on /login ...
• Relogin on gateway, relogin on registry, always unauthorized to get /login...

Related issues

This issue may be related to issue 292 OAuth2 Gateway Management Broken

Suggest a Fix

I don't know if the problem comes from gateway or registry, and I don't known enough OAuth2 to suggest a fix.

JHipster Registry Version(s)

Gateway has been generated with jhipster 5.8.2, and registry is in version 4.1.1

Browsers and Operating System

Tested on linux with firefox 65 and chromium 73

• Checking this box is mandatory (this is just to show you read everything)

Denis

[mraible]

If I understand this issue correctly, I believe it might be happening because JHipster Registry does not include global OIDC logout. Is that you can't log out of the registry the main issue?

[DenisThomas]

No, my main issue is about I have to be logged in gateway to get metrics and/or configuration of gateway from registry. I guess that the problem of logout gateway / registry is a consequence of this.

There is another problem I did not talk here because I cannot reproduce at each time. Sometimes, when I start a service after I log in registry, I cannot get its metrics/configuration. I have to disconnect and reconnect for this.

[ruddell]

I mentioned the gateway login requirement here, I'm not sure of how to fix it though.