Empty payload in ID Token when using Spring Cloud Gateway

anna.gz · February 1, 2023, 4:26pm

We have problems with obtaining ID token using auth0 SDK.
We have API Gateway based on Spring Cloud Gateway (version 3.1.4) where we try to use your auth0 platform to authenticate the users and then route the exchange to our micro services. To do it we would like to use ID Token and get email from it and pass this email to our micro services.

We log in by hitting oauth2/authorization/auth0 endpoint, we are being redirected to auth0 login page, where we provide credentials, then we get redirect back to our app.

When we configuire endpoints directly in API Gateway and mark them with @AuthenticationPrincipal OidcUser user it works and we have full user details as well as ID token.

When we proxy the exchange to different service we have Authorisation header in the request, which contains only header & signature part without payload in the ID token.

We would need the payload in ID Token in order to fetch user email for mapping the user with our internal DB in our micro services.

What do you think would be the proper workflow in this case and how can we solve this issue?

We tried to use Rules & Actions, which I paste below, but it didn’t helped us.

Our configuration looks like this:

@Bean
    public SecurityWebFilterChain filterChain(ServerHttpSecurity http) throws Exception {
        return http
            .csrf().disable()
            .authorizeExchange()
            .pathMatchers("/test").authenticated()
            .anyExchange().authenticated()
            .and().oauth2Login()
            .and().logout().logoutSuccessHandler(logoutSuccessHandler())
            .and().build();
    }

In the RouteLocator in GatewayConfiguration we have filter for TokenRelay.

Our Action looks like this:

exports.onExecutePostLogin = async (event, api) => {
  const namespace = 'http://test.{our_local_development_route}:8888';
  if (event.authorization) {
    api.idToken.setCustomClaim(`${namespace}/claims/email`, event.user.email);
    api.accessToken.setCustomClaim(`${namespace}/email`, event.user.email);
  }
};

And Rule:

function addEmailToAccessToken(user, context, callback) {
  // This rule adds the authenticated user's email address to the access token.

  const namespace = 'http://test.{our_local_development_route}:8888';
  context.idToken[namespace + 'email'] = user.upn;
  context.accessToken[namespace + 'email'] = user.email;
  return callback(null, user, context);
}