Basic Auth + JWT vs Oauth2

Question

I have an application consisting in microservices: gateway + discovery services + microservices. Rigth now I'm implementing Spring security to the zuul gateway so after a succesful login it returns a JWT with the grants. So the Gateway acts as an authorization and authentication server. I think this ways the ecosistem is secure because the gatweay wont allow any unauthorized access to the endpoints.

I'm applying this flow because I dont want to indivually config every microservice. This is a single secure entry point.

And now, I've read about Oauth and made an implementation in a demo app but I dont understand correctly if Ouath2 will make easier my app or will add unnecesary complexity. I read that Spring Auth Server is not yet implemented so I think I would need to use Okta or Keycloack.

What would be the advantage of implementing Oauth2 vs Gateway + Basic Auth + JWT?

As additional note: The app consists of different apps with different UI's, I will distinguish with user can access to what product by its group.

Thank you so much for your advice.

Answer 1

If I understand correctly you are using JWT without OAuth2?

What would be the advantage of implementing Oauth2 vs Gateway + Basic Auth + JWT?

OAuth2 is an access delegation protocol that supports specific flows in your application. OAuth2 standarizes how your token (ex. JWT) is obtained by user or other web application. So in your case it can be understood as generating JWT tokens in a standarized way.

Are there any benefits because of that? It depends :)

Having an OAuth2 Authorization Server enables you to integrate some 3rd party apps with your security (only if they support OAuth2/OpenId). If it is (or will be) your case then you should consider using OAuth2 in your application.

Your current setup (Basic Auth + JWT) may have some security concerns. If I understood you correctly you are sending user credentials (username + password) in Authorization header and exchanging them for JWT? If users log in using public client (web page with login form) then you are just using OAuth2 + password grant type flow which is considered as serious security concern (https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications)

The question you should ask is what are potentials problems with using Basic Authentication and how those problems can be solved by OAuth2.

And now, I've read about Oauth and made an implementation in a demo app but I dont understand correctly if Ouath2 will make easier my app or will add unnecesary complexity. I read that Spring Auth Server is not yet implemented so I think I would need to use Okta or Keycloack.

You don't have to use Okta or Keycloak. You can create your own Authorization Server in Spring (https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/html5/). This can be treated as another service in you microservice architecture responsible for authorization (issuing tokens for example). Optionally you could add there user management API (managing priviliges to other parts of your system) and get rid of them from gateway.