I'm using Spring Cloud Gateway as a BFF as described in https://www.baeldung.com/spring-cloud-gateway-bff-oauth2.
I now need to do the same using password grant (resource owner password credentials flow) instead of the authorization code flow and I'm completely lost in the Spring Security jungle :-(.
Looking at the spring security docs about password grants, I managed to call an endpoint and ask for an access token using the following snippet:
@GetMapping("/do-login")
public Mono<String> index(ServerWebExchange exchange) {
OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest.withClientRegistrationId("keycloak-pwd")
.principal(new UsernamePasswordAuthenticationToken("frodo", "frodo"))
.attribute(ServerWebExchange.class.getName(), exchange)
.build();
return this.authorizedClientManager.authorize(authorizeRequest)
.map(OAuth2AuthorizedClient::getAccessToken)
.thenReturn("index");
}
However, I have no idea what to do with it? How can I create a SecurityContext from the results and make sure this is saved in the web session of my BFF?
I was thinking about a way to wire an AuthenticationWebFilter that converts some request using a ServerFormLoginAuthenticationConverter to an UsernamePasswordAuthenticationToken but basically I'm lost and want to be found :-).
Any clues? Guidance? Anything?
P.S.: I know I shouldn't use password grant and that it's deprecated. But I'm not the one to decide :-( .