Jhipster microservices: JWT authentication: 401 Unauthorized

Question

When I tried to visit a protected URL of microservice through the gateway eg: HTTP://localhost:8080/services/microservicename/api/** I am getting the following error

401 Unauthorized, full authentication requested .

I am using JWT authentication for microservices and I do have a separate registry service. What might be causing this issue?

Answer 1

The first step in debugging should be to see if you are getting authenticated with the gateway.

To get authenticated with the gateway pass in request body raw json data
{"username":"admin","password":"admin","rememberMe":"true"}
to the gateway authentication URL http://localhost:8080/api/authenticate and you will get an id_token in response. Use this id_token data as Authorization Bearer token in every request you would like to process which is protected eg:- http://localhost:8080/services/microservicename/path

Upon gateway authentication confirmation the second step to debug would be to see SecurityConfiguration.java in the config folder of a particular microservice you are trying to access. In the SecurityFilterChain function you would see something like .antMatchers("/api/**").authenticated(). The end of the antMatcher would be either permitAll() authenticated() or hasAuthority(AuthoritiesConstants.ADMIN).

1. If it is permitAll() all requests would reach microservice and get processed upon gateway authentication.

2. if it is hasAuthority(AuthoritiesConstants.Admin) implies you would have to log in as that particular user. By default there are two users in Jhipster 'admin' {username:admin, password:admin} or user {username:user, password:user} and only then microservice controller will process your request.

3. if it authenticated() then any user type login would process the request.

If you are still facing the 401 Unauthorized, full authentication requested it's probably the JWT secret that is causing the issue. When I was debugging the problem, I initially missed the details on the original documentation page. https://www.jhipster.tech/security/

Make sure you have the same jwt secret in application-dev.yml and application-prod.yml as the Gateway's application-dev.yml and application-prod.yml files.