Authorization server behind Zuul

[kakawait]

I would be able to set my AuthorizationServer behind Zuul for multiple purposes (see below).

It's actually possible without changes POC https://github.com/kakawait/uaa-behind-zuul-sample but some tricks to do.

Enjoy Zuul/Ribbon load balancing for HA AuthorizationServer

AuthorizationServer for fully authenticated app is kind of SPOF, so it's important to replicate instances for HA. Instead of using it own load balancing why not using Zuul like following architecture

Do not expose AuthorizationServer on web

I would Zuul to be the only entry point of my application like previous architecture

Portable configuration

Related to spring-attic/spring-security-oauth#671

Idea is to avoid any absolute URLs on following (at least) properties:

• security.oauth2.client.accessTokenUri
• security.oauth2.client.userAuthorizationUri

Using path for security.oauth2.client.userAuthorizationUri?
Using service-registry for security.oauth2.client.accessTokenUri?

Thus

security:
  oauth2:
    client:
      accessTokenUri: http://localhost:9999/uaa/oauth/token
      userAuthorizationUri: http://localhost:9999/uaa/oauth/token

should becomes

security:
  oauth2:
    client:
      accessTokenUri: http://uaa-service/uaa/oauth/token
      userAuthorizationUri: /uaa/oauth/token

zuul:
  routes:
    uaa-service:
      sensitiveHeaders:
      path: /uaa/**

[hwildwood]

👍

[spencergibb]

Closing this due to inactivity. Please re-open if there's more to discuss.