Configuring Client Credentials

Important

Since Release Train 1.8.3 - if utilizing an Initializr-based project, the process of generating these secure configurations have now been automated and is considered as part of the generated security module. See the initializr security page for more details. It’s still beneficial to review these documents to understand the full mechanics behind each of these configurations.

Overview

Broadleaf’s MicroservicesDemo starter project, you may have noticed that the application loaded some default client credentials that allows connectivity between the services.

Main FlexPackage

For example, your main FlexPackage applicationContext-default.xml may include some properties like below:

spring:
  security:
    oauth2:
      client:
        registration:
          catalog:
            authorization-grant-type: client_credentials
            client-id: catalog
            client-secret: <default secret>
          customer:
            authorization-grant-type: client_credentials
            client-id: customer
            client-secret: <default secret>
          search:
            authorization-grant-type: client_credentials
            client-id: search
            client-secret: <default secret>
          ...

Authentication Service

The default AuthenticationServices image also loads corresponding client credentials SQL records into the Auth schema blc_client table that match the service to service configurations defined above. This is where the corresponding client_id and client_secret records are stored.

Important: the client_secret is BCrypted by default.

Example Scenario

Let’s assume that you’re getting ready to deploy your application to production on Kubernetes. In your various FlexPackages that need to have connectivity to one another via the client credentials OAuth grant, you’ll most likely want to update the default client-secret

In this example, let’s say you wanted to update the secret for the catalog client-id to BroadleafMicroservices!.

Step 1: Update BCrypt New Secret in Auth.BLC_CLIENT

You’ll want to update the corresponding catalog client_id record in the blc_client table of the auth schema.

new BCryptPasswordEncoder().encode("BroadleafMicroservices!")

Step 2: Override FlexPackage Env Variable

In my main FlexPackage K8 Manifest, I can pass in the following environment variable override:

SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_CATALOG_CLIENTSECRET

Tip: Utilizing the `CredentialsGeneratorUtil` (only applicable to MicroservicesDemo based projects and not Initializr-based projects)

Your Microservices Demo starter project ships with a test class called com.broadleafdemo.demo.CredentialsGeneratorUtil to aid in generating keys for encryption purposes in the app across different Flex Package Compositions.

This performs the same function as KeyGeneratorUtil in Auth, but also generates a report of all ENV properties and DB updates that likely need review.

Note	reach out to our microservices support channel if your version of the starter does not include this test class and you would like access to this example