Broadleaf Microservices

Configuring Client Credentials

Overview

If you started building your project off using the sample MicroservicesStarter or an equivalent Broadleaf Microservices starter project, you may have noticed that the application loaded some default client credentials that allows connectivity between the services.

Main FlexPackage

For example, your main FlexPackage applicationContext-default.xml may include some properties like below:

spring:
  security:
    oauth2:
      client:
        registration:
          catalog:
            authorization-grant-type: client_credentials
            client-id: catalog
            client-secret: catalog_secret
          customer:
            authorization-grant-type: client_credentials
            client-id: customer
            client-secret: customer_secret
          search:
            authorization-grant-type: client_credentials
            client-id: search
            client-secret: search_secret
          ...

Authentication Service

The default AuthenticationServices image also loads corresponding client credentials SQL records into the Auth schema blc_client table that match the service to service configurations defined above. This is where the corresponding client_id and client_secret records are stored.

Important: the client_secret is BCrypted by default.

Example Scenario

Let’s assume that you’re getting ready to deploy your application to production on Kubernetes. In your various FlexPackages that need to have connectivity to one another via the client credentials OAuth grant, you’ll most likely want to update the default client-secret

In this example, let’s say you wanted to update the secret for the catalog client-id to BroadleafMicroservices!.

Step 1: Update BCrypt New Secret in Auth.BLC_CLIENT

You’ll want to update the corresponding catalog client_id record in the blc_client table of the auth schema.

new BCryptPasswordEncoder().encode("BroadleafMicroservices!")

Step 2: Override FlexPackage Env Variable

In my main FlexPackage K8 Manifest, I can pass in the following environment variable override:

SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_CATALOG_CLIENTSECRET