spring-cloud-security | Security concerns for distributed applications | Microservice library

i'm trying to get the war file from Jhipster project project using this command

Currently in developer training, I am working on a personal project on spring. I started java 6 months ago, so there is a certain notion that I do not yet master. My trainer does not know spring at all, so he cannot help me. I am also French and there is very little reliable documentation on spring (it is evolving quickly). For example, I followed a French tutorial on microservices, and I used the ribbon and zuul proxy while they are currently in maintenance at spring. I started all over (new project) to recode in reactive webflux

I have several concerning spring starter security or spring cloud security

• Spring cloud config (in connection with gitlab)
• eureka server
• admin server
• gateway
• 2 business microservices
• 2 sub-module (model and repository)

I want all my microservices and the internal microservices (eureka, admin server, configserver) to be secure now. But I do not know how.

I want the microservice that consults config-server to identify themselves, and I also want the microservice gateway to identify itself to make requests to other microservices. Finally I want all my microservices to be protected.

Should we put spring-starter-security in microservice? Should we create a new microservice with spring-cloug-security? Should we create a new spring-cloud-security microservice and add spring-start-security everywhere?

https://cloud.spring.io/spring-cloud-security/2.2.x/reference/html/ Obviously I find this link not very explanatory

Thank you

In Spring Boot with MVC it was possible to get information about Keycloak user realm and defined attributes through injected Principal in controller method, which was of type KeycloakAuthenticationToken, which provides this information.

But in Spring Cloud Gateway with dependencies

In the logs, Zipkin status is coming as true but I can not see it in the Zipkin UI.

I'm trying to create a sample authorization server using the spring security oauth2 framework. The tutorials are confusing compared to any other spring related examples.

Update: If you are looking for a working solution, go to my answer. Ignore the code below.

When I invoked the token issue endpoint, the following error was thrown

This seems like a pretty common question, and has a simple answer however implementing the documented solution isn't working for me.

I have a zuul proxy/gateway for all incoming requests which then forwards those onto different micro services. Each incoming request has a correct bearer token set in the header (this is set and validated in the front end (from okta) and confirmed it works when skipping Zuul and going direct to a service), I just need to pass that onto the micro services.

EdgeServiceApplication

I am currently following this tutorial on how to implement oauth2 Authentication and Authorization with microservices:

http://stytex.de/blog/2016/02/01/spring-cloud-security-with-oauth2/

I have it working as is, but I am having a real hard time trying to figure out how to implement jwt with HS256 rather than the current RSA256 algorithm that's being used.

I think I've narrowed it down to this snippet of code from the authentication server in the Oauth2Configuration class:

I have an oauth-server secured with 'spring-cloud-oauth2' and 'spring-cloud-security' and the application is a spring-boot application. I am trying to get access_token from an angular 2 app, i.e. I want to login from angular 2 app. In my oauth-server I have a client-id=microservice and client-secret=microservicesecret. I have checked the oauth-server from postman where, in the authorization section, for username and password, I use the client-id and client-secret respectively. And in the body section, I use grant_type=password, client_id=microservice, username=m@email.com, password=passw0rd and everything works great.

But, I am having trouble using the configuration in angular 2 app. I have used the following code-snippets.