TokenRelay not forwarding access token downstream

[EmilAvramov]

I followed the BFF tutorial, and while my architecture is somewhat similar, I'm having the issue that once the gateway (acting as a reverse proxy, oauth client) fetches the token from Keycloak via the session (I can see Spring calling userinfo with the token, so it's there), but doesn't forward it downstream to my resource server.

My frontend gets redirected to keycloak, the user logs in and is redirected back to the app, but due to no token being passed downstream, my BFF is getting an anonymous token. I've looked at the request going to the BFF and there's really no authorization header, or a token sent downstream.

I'm new to Spring/Java, so I'm probably missing something, please let me know. Below are my configs:

My gateway is running on http://localhost:8081, Keycloak on 8080 and resource server on 7001.

Gateway (BFF):

spring:
  cloud:
    security:
      oauth2:
        client:
          registration:
            keycloak:
              provider: keycloak
              client-id: backoffice-client
              client-secret: 61FOqIXrbF4kDgf90QkgszIfnXxXotPL
              authorization-grant-type: authorization_code
              scope: openid, profile, email
        provider:
          keycloak:
            issuer-uri: http://localhost:8080/realms/app_backoffice_dev
    gateway:
      default-filters:
        - DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
      globalcors:
        corsConfigurations:
          '[/**]':
            allowedOrigins: "*"
            allowedHeaders: "*"
            allowedMethods:
              - GET
              - POST
              - DELETE
              - PUT
              - OPTIONS
      routes:
        - id: perimeter_bff_bo
          uri: http://localhost:7001
          predicates:
            - Path=/api/v1/backoffice/**
          filters:
            - TokenRelay=
            - SaveSession
            - StripPrefix=3

com:
  c4-soft:
    springaddons:
      oidc:
        ops:
        - iss: http://localhost:8080/realms/app_backoffice_dev
          authorities:
          - path: $.realm_access.roles
          aud:
        client:
          client-uri: http://localhost:8081
          security-matchers:
          - /api/**
          - /login/**
          - /oauth2/**
          - /logout/**
          permit-all:
          - /api/**
          - /login/**
          - /oauth2/**
          - /logout/connect/back-channel/app_backoffice_dev
          csrf: cookie-accessible-from-js
          oauth2-redirections:
            rp-initiated-logout: ACCEPTED
          back-channel-logout:
            enabled: true
            internal-logout-uri: http://localhost:8081/logout
        resourceserver:
          permit-all:
          - /login-options
          - /error
          - /actuator/health
          - /actuator/info

resource server:

com:
  c4-soft:
    springaddons:
      oidc:
        ops:
        - iss: http://localhost:8080/realms/app_backoffice_dev
          username-claim: $.preferred_username
          authorities:
          - path: $.realm_access.roles
          aud: 
        resourceserver:
          permit-all:
          - /me
          - /debug
          - /actuator/health
          - /actuator/info

[ch4mpy]

I can see Spring calling userinfo with the token

This is surprising. As the authorization server is configured as an OIDC Provider (auto-configured using the OpenID configuration inferred from the issuer URI) and the openid scope requested, Spring should use the ID token and not the userinfo endpoint.

Anyhow, when facing security issues, join it to the tickets you open:

• DEBUG or TRACE logs for Spring Security
• dependencies with versions
• complete configuration (also include Java config, even if limited to

@Configuration
@EnableMethodSecurity
class SecurityConfig {
}

[EmilAvramov]

I want to have the gateway responsible for authentication and reverse proxy purposes (routing, load balancing, cors, etc.), while having the resource server validating authorization and orchestrating resource queries to downstream services, before returning it back the client. Using Webflux, not using MVC.

Essentially:

• Gateway as the oAuth client, handles exchanging session cookies for access token and passes token downstream
• Gateway as a reverse proxy to route requests internally, load balance, CORS, etc.
• resource server validates authorization on token, orchestrates fetching data from downstream services (which communicate with the DB directly)
• No additional code aside from tutorial getLoginOptions and /me endpoint implemented. There's some rabbitMQ configs, but those are minimal and I don't think they're relevant?
• Will have different "resource servers" (communicating with downstream services via RabbitMQ).

Please advise if you need anything additional except the below.

Gateway dependencies:

extra["springCloudVersion"] = "2024.0.0"

dependencies {
	// Intra-project dependencies
	implementation(project(":common"))

	// Security
	implementation("org.springframework.boot:spring-boot-starter-oauth2-client:3.4.1")
	implementation("com.c4-soft.springaddons:spring-addons-starter-oidc:8.0.2")
	implementation("org.springframework.boot:spring-boot-starter-security:3.4.1")

	// Dev dependencies
	developmentOnly("org.springframework.boot:spring-boot-devtools:3.4.1")
	implementation("org.springframework.boot:spring-boot-starter-logging:3.4.1")

	// Cloud capacity
	implementation("org.springframework.cloud:spring-cloud-starter-gateway:4.2.0")
	implementation("org.springframework.cloud:spring-cloud-starter:4.2.0")
	implementation("org.springframework.cloud:spring-cloud-starter-config:4.2.0")
	implementation("org.springframework.cloud:spring-cloud-starter-loadbalancer:4.2.0")
	implementation("org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:4.2.0") {
		exclude(group = "com.fasterxml.woodstox", module = "woodstox-core")
		exclude(group = "org.apache.httpcomponents", module = "httpclient")
		exclude(group = "com.thoughtworks.xstream", module = "xstream")
	}

	// resolve transitive dependency security issues
	implementation("com.fasterxml.woodstox:woodstox-core:7.1.0")
	implementation("org.apache.httpcomponents:httpclient:4.5.14")
	implementation("com.thoughtworks.xstream:xstream:1.4.21")
}

dependencyManagement {
	imports {
		mavenBom("org.springframework.cloud:spring-cloud-dependencies:${property("springCloudVersion")}")
	}
}

BFF build.gradle.kts:

configurations {
    compileOnly {
        extendsFrom(configurations.annotationProcessor.get())
    }
}

extra["springCloudVersion"] = "2024.0.0"

dependencies {
    // Intra-project dependencies
    implementation(project(":common"))

    // Security dependencies
    implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server:3.4.1")
    implementation("org.springframework.boot:spring-boot-starter-webflux:3.4.1")
    implementation("com.c4-soft.springaddons:spring-addons-starter-oidc:8.0.2")

    // Dev dependencies
    developmentOnly("org.springframework.boot:spring-boot-devtools:3.4.1")

    // Communication
    implementation("org.springframework.boot:spring-boot-starter-amqp:3.4.1")
    implementation("org.springframework.amqp:spring-rabbit-stream:3.2.1")

    // Cloud capacity
    implementation("org.springframework.cloud:spring-cloud-starter-config:4.2.0")
    implementation("org.springframework.cloud:spring-cloud-starter-netflix-eureka-client:4.2.0") {
        exclude(group = "com.fasterxml.woodstox", module = "woodstox-core")
        exclude(group = "org.apache.httpcomponents", module = "httpclient")
        exclude(group = "com.thoughtworks.xstream", module = "xstream")
    }

    // resolve transitive dependency security issues
    implementation("com.fasterxml.woodstox:woodstox-core:7.1.0")
    implementation("org.apache.httpcomponents:httpclient:4.5.14")
    implementation("com.thoughtworks.xstream:xstream:1.4.21")
}


dependencyManagement {
    imports {
        mavenBom("org.springframework.cloud:spring-cloud-dependencies:${property("springCloudVersion")}")
    }
}

Root project dependencies:

plugins {
    id("java")
    id("org.springframework.boot") version "3.4.1" apply false
    id("io.spring.dependency-management") version "1.1.7" apply false
}

group = "com.backend"
version = "1.0-SNAPSHOT"

repositories {
    mavenCentral()
}

subprojects {
    apply(plugin = "java")
    apply(plugin = "org.springframework.boot")
    apply(plugin = "io.spring.dependency-management")

    group = "com.backend"
    version = "1.0-SNAPSHOT"

    java {
        toolchain {
            languageVersion = JavaLanguageVersion.of(21)
        }
    }

    repositories {
        mavenCentral()
    }

    dependencies {
        implementation("org.springframework.boot:spring-boot-starter-actuator:3.4.1")
        implementation("org.springframework.boot:spring-boot-configuration-processor:3.4.1")

        compileOnly("org.projectlombok:lombok:1.18.36")
        annotationProcessor("org.projectlombok:lombok:1.18.36")

        testImplementation(platform("org.junit:junit-bom:5.10.0"))
        testImplementation("org.junit.jupiter:junit-jupiter:5.10.3")
        testImplementation("org.springframework.boot:spring-boot-starter-test:3.4.1")
        testImplementation("org.springframework.security:spring-security-test:6.4.2")
        testImplementation("org.springframework.amqp:spring-rabbit-test:3.2.1")
    }

    tasks.withType<Test> {
        enabled = true
        useJUnitPlatform()
        testLogging {
            events("PASSED", "FAILED", "SKIPPED")
        }
    }

    tasks.withType<org.springframework.boot.gradle.tasks.run.BootRun> {
        systemProperty("spring.profiles.active", "dev")
    }
}

tasks.register("runCore") {
    dependsOn(
        ":discovery:bootRun",
        ":configserver:bootRun",
    )
}

tasks.register("runPerimeter") {
    dependsOn(
        ":gateway:bootRun",
        ":backoffice:bootRun",
        ":app:bootRun"
    )
}

tasks.register("runDownstream") {
    dependsOn(
        ":user:bootRun",
    )
}

Gateway logs:

2025-01-14T19:00:50.210+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.http.server.HttpServerOperations     : [09b7bb57, L:/127.0.0.1:8081 - R:/127.0.0.1:54623] Increasing pending responses count: 1
2025-01-14T19:00:50.210+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] reactor.netty.http.server.HttpServer     : [09b7bb57-2, L:/127.0.0.1:8081 - R:/127.0.0.1:54623] Handler is being applied: org.springframework.http.server.reactive.ReactorHttpHandlerAdapter@524177b9
2025-01-14T19:00:50.210+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] o.s.w.s.adapter.HttpWebHandlerAdapter    : [09b7bb57-3] HTTP GET "/login/o
auth2/code/keycloak?state=CyHWkLVpjeWDwydWw_g_5GDDGNbwbQC1zFUbOwGfvZ8%3D&session_state=2a1e7532-c986-43a6-bcd3-74fb3b27aaae&iss=http%3A%2F%2Flocalho
st%3A8080%2Frealms%2Fapp_backoffice_dev&code=9d2cb011-be20-4b69-adbd-ec4d539cffc7.2a1e7532-c986-43a6-bcd3-74fb3b27aaae.f307d6f9-5feb-4379-aa1b-efee3eb7b231"
2025-01-14T19:00:50.274+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.resources.PooledConnectionProvider   : Creating a new [http] client po
ol [PoolFactory{evictionInterval=PT0S, leasingStrategy=fifo, maxConnections=500, maxIdleTime=-1, maxLifeTime=-1, metricsEnabled=false, pendingAcquireMaxCount=1000, pendingAcquireTimeout=45000}] for [localhost/<unresolved>:8080]
2025-01-14T19:00:50.283+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.resources.PooledConnectionProvider   : [e72e3f7b] Created a new pooled channel, now: 0 active connections, 0 inactive connections and 0 pending acquire requests.
2025-01-14T19:00:50.288+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.netty.transport.TransportConfig        : [e72e3f7b] Initialized pipeline
 DefaultChannelPipeline{(reactor.left.httpCodec = io.netty.handler.codec.http.HttpClientCodec), (reactor.left.httpDecompressor = io.netty.handler.codec.http.HttpContentDecompressor), (reactor.right.reactiveBridge = reactor.netty.channel.ChannelOperationsHandler)}
2025-01-14T19:00:50.303+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] o.s.w.r.f.client.ExchangeFunctions       : [7c48e326] HTTP POST http://localhost:8080/realms/app_backoffice_dev/protocol/openid-connect/token
2025-01-14T19:00:50.305+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.netty.transport.TransportConnector     : [e72e3f7b] Connecting to [localhost/127.0.0.1:8080].
2025-01-14T19:00:50.307+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Registering pool release on close event for channel
2025-01-14T19:00:50.307+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.resources.PooledConnectionProvider   : [e72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Channel connected, now: 1 active connections, 0 inactive connections and 0 pending acquire requests.
2025-01-14T19:00:50.308+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] onStateChange(PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}, [connected])
2025-01-14T19:00:50.310+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b-1, L:/127.0.0.1:49987
 - R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/, connection=PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}}, [configured])
2025-01-14T19:00:50.311+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.netty.http.client.HttpClientConnect    : [e72e3f7b-1, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Handler is being applied: {uri=http://localhost:8080/realms/app_backoffice_dev/protocol/openid-connect/token, method=POST}
2025-01-14T19:00:50.312+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b-1, L:/127.0.0.1:49987
 - R:localhost/127.0.0.1:8080] onStateChange(POST{uri=/realms/app_backoffice_dev/protocol/openid-connect/token, connection=PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}}, [request_prepared])
2025-01-14T19:00:50.313+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] org.springframework.web.HttpLogging      : [7c48e326] Writing form fields [grant_type, code, redirect_uri] (content masked)
2025-01-14T19:00:50.317+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b-1, L:/127.0.0.1:49987
 - R:localhost/127.0.0.1:8080] onStateChange(POST{uri=/realms/app_backoffice_dev/protocol/openid-connect/token, connection=PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}}, [request_sent])
2025-01-14T19:00:50.348+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.http.client.HttpClientOperations     : [e72e3f7b-1, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Received response (auto-read:false) : RESPONSE(decodeResult: success, version: HTTP/1.1)
HTTP/1.1 200 OK
Cache-Control: <filtered>
Pragma: <filtered>
content-length: <filtered>
Content-Type: <filtered>
Referrer-Policy: <filtered>
Strict-Transport-Security: <filtered>
X-Content-Type-Options: <filtered>
X-Frame-Options: <filtered>
X-XSS-Protection: <filtered>
2025-01-14T19:00:50.348+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b-1, L:/127.0.0.1:49987
 - R:localhost/127.0.0.1:8080] onStateChange(POST{uri=/realms/app_backoffice_dev/protocol/openid-connect/token, connection=PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}}, [response_received])
2025-01-14T19:00:50.349+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] o.s.w.r.f.client.ExchangeFunctions       : [7c48e326] [e72e3f7b-1] Response 200 OK
2025-01-14T19:00:50.360+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] reactor.netty.channel.FluxReceive        : [e72e3f7b-1, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] [terminated=false, cancelled=false, pending=0, error=null]: subscribing inbound receiver
2025-01-14T19:00:50.362+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.http.client.HttpClientOperations     : [e72e3f7b-1, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Received last HTTP packet
2025-01-14T19:00:50.366+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] org.springframework.web.HttpLogging      : [7c48e326] [e72e3f7b-1] Decoded [{access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJfLVd5SnVva0g1VTJDbXJtQkUwcDIwT191Tk (truncated)...]
2025-01-14T19:00:50.434+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] o.s.w.r.f.client.ExchangeFunctions       : [56527bdf] HTTP GET http://localhost:8080/realms/app_backoffice_dev/protocol/openid-connect/certs
2025-01-14T19:00:50.434+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.resources.PooledConnectionProvider   : [4a6a5e9c] Created a new pooled channel, now: 1 active connections, 0 inactive connections and 0 pending acquire requests.
2025-01-14T19:00:50.434+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.netty.transport.TransportConfig        : [4a6a5e9c] Initialized pipeline
 DefaultChannelPipeline{(reactor.left.httpCodec = io.netty.handler.codec.http.HttpClientCodec), (reactor.left.httpDecompressor = io.netty.handler.codec.http.HttpContentDecompressor), (reactor.right.reactiveBridge = reactor.netty.channel.ChannelOperationsHandler)}
2025-01-14T19:00:50.435+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b, L:/127.0.0.1:49987 -
 R:localhost/127.0.0.1:8080] onStateChange(POST{uri=/realms/app_backoffice_dev/protocol/openid-connect/token, connection=PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}}, [response_completed])
2025-01-14T19:00:50.435+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b, L:/127.0.0.1:49987 -
 R:localhost/127.0.0.1:8080] onStateChange(POST{uri=/realms/app_backoffice_dev/protocol/openid-connect/token, connection=PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}}, [disconnecting])
2025-01-14T19:00:50.435+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Releasing channel
2025-01-14T19:00:50.435+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.resources.PooledConnectionProvider   : [e72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Channel cleaned, now: 0 active connections, 1 inactive connections and 0 pending acquire requests.
2025-01-14T19:00:50.436+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.netty.transport.TransportConnector     : [4a6a5e9c] Connecting to [localhost/127.0.0.1:8080].
2025-01-14T19:00:50.437+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080] Registering pool release on close event for channel
2025-01-14T19:00:50.437+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.resources.PooledConnectionProvider   : [4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080] Channel connected, now: 1 active connections, 1 inactive connections and 0 pending acquire requests.
2025-01-14T19:00:50.437+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080] onStateChange(PooledConnection{channel=[id: 0x4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080]}, [connected])
2025-01-14T19:00:50.437+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [4a6a5e9c-1, L:/127.0.0.1:49988
 - R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/, connection=PooledConnection{channel=[id: 0x4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080]}}, [configured])
2025-01-14T19:00:50.437+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.netty.http.client.HttpClientConnect    : [4a6a5e9c-1, L:/127.0.0.1:49988
 - R:localhost/127.0.0.1:8080] Handler is being applied: {uri=http://localhost:8080/realms/app_backoffice_dev/protocol/openid-connect/certs, method=GET}
2025-01-14T19:00:50.437+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [4a6a5e9c-1, L:/127.0.0.1:49988
 - R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/realms/app_backoffice_dev/protocol/openid-connect/certs, connection=PooledConnection{channel=[id: 0x4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080]}}, [request_prepared])
2025-01-14T19:00:50.437+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.http.client.HttpClientOperations     : [4a6a5e9c-1, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080] No sendHeaders() called before complete, sending zero-length header
2025-01-14T19:00:50.437+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [4a6a5e9c-1, L:/127.0.0.1:49988
 - R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/realms/app_backoffice_dev/protocol/openid-connect/certs, connection=PooledConnection{channel=[id: 0x4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080]}}, [request_sent])
2025-01-14T19:00:50.442+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.http.client.HttpClientOperations     : [4a6a5e9c-1, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080] Received response (auto-read:false) : RESPONSE(decodeResult: success, version: HTTP/1.1)
HTTP/1.1 200 OK
content-length: <filtered>
Cache-Control: <filtered>
Content-Type: <filtered>
Referrer-Policy: <filtered>
Strict-Transport-Security: <filtered>
X-Content-Type-Options: <filtered>
X-Frame-Options: <filtered>
X-XSS-Protection: <filtered>
2025-01-14T19:00:50.442+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [4a6a5e9c-1, L:/127.0.0.1:49988
 - R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/realms/app_backoffice_dev/protocol/openid-connect/certs, connection=PooledConnection{channel=[id: 0x4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080]}}, [response_received])
2025-01-14T19:00:50.442+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] o.s.w.r.f.client.ExchangeFunctions       : [56527bdf] [4a6a5e9c-1] Response 200 OK
2025-01-14T19:00:50.443+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] reactor.netty.channel.FluxReceive        : [4a6a5e9c-1, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080] [terminated=false, cancelled=false, pending=0, error=null]: subscribing inbound receiver
2025-01-14T19:00:50.444+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.http.client.HttpClientOperations     : [4a6a5e9c-1, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080] Received last HTTP packet
2025-01-14T19:00:50.444+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] org.springframework.web.HttpLogging      : [56527bdf] [4a6a5e9c-1] Decoded "{"keys":[{"kid":"qU3rm-UJfHXoS_PMk_ocpIuZvdFw7mzXDHdT9YiYbgQ","kty":"RSA","alg":"RSA-OAEP","use":"en (truncated)..."
2025-01-14T19:00:50.459+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] o.s.w.r.f.client.ExchangeFunctions       : [4438e2a4] HTTP GET http://localhost:8080/realms/app_backoffice_dev/protocol/openid-connect/userinfo
2025-01-14T19:00:50.459+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.resources.PooledConnectionProvider   : [e72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Channel acquired, now: 2 active connections, 0 inactive connections and 0 pending acquire requests.
2025-01-14T19:00:50.459+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.netty.http.client.HttpClientConnect    : [e72e3f7b-2, L:/127.0.0.1:49987
 - R:localhost/127.0.0.1:8080] Handler is being applied: {uri=http://localhost:8080/realms/app_backoffice_dev/protocol/openid-connect/userinfo, method=GET}
2025-01-14T19:00:50.459+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b-2, L:/127.0.0.1:49987
 - R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/realms/app_backoffice_dev/protocol/openid-connect/userinfo, connection=PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}}, [request_prepared])
2025-01-14T19:00:50.459+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.http.client.HttpClientOperations     : [e72e3f7b-2, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] No sendHeaders() called before complete, sending zero-length header
2025-01-14T19:00:50.460+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b-2, L:/127.0.0.1:49987
 - R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/realms/app_backoffice_dev/protocol/openid-connect/userinfo, connection=PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}}, [request_sent])
2025-01-14T19:00:50.461+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [4a6a5e9c, L:/127.0.0.1:49988 -
 R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/realms/app_backoffice_dev/protocol/openid-connect/certs, connection=PooledConnection{channel=[id: 0x4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080]}}, [response_completed])
2025-01-14T19:00:50.461+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [4a6a5e9c, L:/127.0.0.1:49988 -
 R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/realms/app_backoffice_dev/protocol/openid-connect/certs, connection=PooledConnection{channel=[id: 0x4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080]}}, [disconnecting])
2025-01-14T19:00:50.461+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080] Releasing channel
2025-01-14T19:00:50.461+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.resources.PooledConnectionProvider   : [4a6a5e9c, L:/127.0.0.1:49988 - R:localhost/127.0.0.1:8080] Channel cleaned, now: 1 active connections, 1 inactive connections and 0 pending acquire requests.
2025-01-14T19:00:50.467+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.http.client.HttpClientOperations     : [e72e3f7b-2, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Received response (auto-read:false) : RESPONSE(decodeResult: success, version: HTTP/1.1)
HTTP/1.1 200 OK
content-length: <filtered>
Cache-Control: <filtered>
Content-Type: <filtered>
Referrer-Policy: <filtered>
Strict-Transport-Security: <filtered>
X-Content-Type-Options: <filtered>
X-Frame-Options: <filtered>
X-XSS-Protection: <filtered>
2025-01-14T19:00:50.467+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b-2, L:/127.0.0.1:49987
 - R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/realms/app_backoffice_dev/protocol/openid-connect/userinfo, connection=PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}}, [response_received])
2025-01-14T19:00:50.467+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] o.s.w.r.f.client.ExchangeFunctions       : [4438e2a4] [e72e3f7b-2] Response 200 OK
2025-01-14T19:00:50.468+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] reactor.netty.channel.FluxReceive        : [e72e3f7b-2, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] [terminated=false, cancelled=false, pending=0, error=null]: subscribing inbound receiver
2025-01-14T19:00:50.468+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.http.client.HttpClientOperations     : [e72e3f7b-2, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Received last HTTP packet
2025-01-14T19:00:50.468+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] org.springframework.web.HttpLogging      : [4438e2a4] [e72e3f7b-2] Decoded [{sub=1d0a8c18-0783-4e00-8c30-e9ada00520e4, email_verified=true, realm_access={roles=[offline_access, (truncated)...]
2025-01-14T19:00:50.469+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] o.s.w.r.f.client.ExchangeFunctions       : [7c48e326] Cancel signal (to close connection)
2025-01-14T19:00:50.470+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] o.s.w.r.f.client.ExchangeFunctions       : [4438e2a4] Cancel signal (to close connection)
2025-01-14T19:00:50.472+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b, L:/127.0.0.1:49987 -
 R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/realms/app_backoffice_dev/protocol/openid-connect/userinfo, connection=PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}}, [response_completed])
2025-01-14T19:00:50.473+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b, L:/127.0.0.1:49987 -
 R:localhost/127.0.0.1:8080] onStateChange(GET{uri=/realms/app_backoffice_dev/protocol/openid-connect/userinfo, connection=PooledConnection{channel=[id: 0xe72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080]}}, [disconnecting])
2025-01-14T19:00:50.473+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.r.DefaultPooledConnectionProvider    : [e72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Releasing channel
2025-01-14T19:00:50.473+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.resources.PooledConnectionProvider   : [e72e3f7b, L:/127.0.0.1:49987 - R:localhost/127.0.0.1:8080] Channel cleaned, now: 0 active connections, 2 inactive connections and 0 pending acquire requests.
2025-01-14T19:00:50.477+02:00 DEBUG 34820 --- [gateway] [     parallel-2] o.s.w.s.adapter.HttpWebHandlerAdapter    : [09b7bb57-3] Completed 302 FOUND
2025-01-14T19:00:50.477+02:00 DEBUG 34820 --- [gateway] [     parallel-2] r.n.http.server.HttpServerOperations     : [09b7bb57-2, L:/127.0.0.1:8081 - R:/127.0.0.1:54623] Last HTTP response frame
2025-01-14T19:00:50.477+02:00 DEBUG 34820 --- [gateway] [     parallel-2] r.n.http.server.HttpServerOperations     : [09b7bb57-2, L:/127.0.0.1:8081 - R:/127.0.0.1:54623] Headers are not sent before onComplete().
2025-01-14T19:00:50.478+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.http.server.HttpServerOperations     : [09b7bb57-2, L:/127.0.0.1:8081 - R:/127.0.0.1:54623] Decreasing pending responses count: 0
2025-01-14T19:00:50.478+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.n.http.server.HttpServerOperations     : [09b7bb57-2, L:/127.0.0.1:8081 - R:/127.0.0.1:54623] Last HTTP packet was sent, terminating the channel
2025-01-14T19:00:50.478+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-3] r.netty.channel.ChannelOperations        : [09b7bb57-2, L:/127.0.0.1:8081 - R:/127.0.0.1:54623] [HttpServer] Channel inbound receiver cancelled (subscription disposed).
2025-01-14T19:00:53.096+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-2] r.n.http.server.HttpServerOperations     : [907e4250, L:/127.0.0.1:8081 - R:/127.0.0.1:54608] Increasing pending responses count: 1
2025-01-14T19:00:53.096+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-2] reactor.netty.http.server.HttpServer     : [907e4250-2, L:/127.0.0.1:8081 - R:/127.0.0.1:54608] Handler is being applied: org.springframework.http.server.reactive.ReactorHttpHandlerAdapter@524177b9
2025-01-14T19:00:53.096+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-2] o.s.w.s.adapter.HttpWebHandlerAdapter    : [907e4250-4] HTTP GET "/api/v1/backoffice/me"
2025-01-14T19:00:53.098+02:00 DEBUG 34820 --- [gateway] [     parallel-3] o.s.w.s.s.DefaultWebSessionManager       : Created new WebSession.        
2025-01-14T19:00:53.106+02:00 DEBUG 34820 --- [gateway] [     parallel-3] o.s.c.g.h.RoutePredicateHandlerMapping   : Route matched: bff_backoffice  
2025-01-14T19:00:53.107+02:00 DEBUG 34820 --- [gateway] [     parallel-3] o.s.c.g.h.RoutePredicateHandlerMapping   : Mapping [Exchange: GET http://l
ocalhost:8081/api/v1/backoffice/me] to Route{id='bff_backoffice', uri=lb://BACKOFFICE, order=0, predicate=Paths: [/api/v1/backoffice/**], match trai
ling slash: true, gatewayFilters=[[[DedupeResponseHeader Access-Control-Allow-Credentials Access-Control-Allow-Origin = RETAIN_FIRST], order = 1], [
org.springframework.cloud.gateway.filter.factory.TokenRelayGatewayFilterFactory$$Lambda/0x000001d6d18e3c08@2f1ef11, order = 1], [[SaveSession], order = 2], [[StripPrefix parts = 3], order = 3]], metadata={}}
2025-01-14T19:00:53.107+02:00 DEBUG 34820 --- [gateway] [     parallel-3] o.s.c.g.h.RoutePredicateHandlerMapping   : [907e4250-4] Mapped to org.springframework.cloud.gateway.handler.FilteringWebHandler@6527a35c
2025-01-14T19:00:53.107+02:00 DEBUG 34820 --- [gateway] [     parallel-3] o.s.c.g.handler.FilteringWebHandler      : Sorted gatewayFilterFactories: 
[[GatewayFilterAdapter{delegate=org.springframework.cloud.gateway.filter.RemoveCachedBodyFilter@7460dff2}, order = -2147483648], [GatewayFilterAdapt
er{delegate=org.springframework.cloud.gateway.filter.AdaptCachedBodyGlobalFilter@4e5e97f6}, order = -2147482648], [GatewayFilterAdapter{delegate=org
.springframework.cloud.gateway.filter.NettyWriteResponseFilter@663a7916}, order = -1], [GatewayFilterAdapter{delegate=org.springframework.cloud.gate
way.filter.ForwardPathFilter@3034f1f3}, order = 0], [GatewayFilterAdapter{delegate=org.springframework.cloud.gateway.filter.GatewayMetricsFilter@354
a3c62}, order = 0], [[DedupeResponseHeader Access-Control-Allow-Credentials Access-Control-Allow-Origin = RETAIN_FIRST], order = 1], [org.springfram
ework.cloud.gateway.filter.factory.TokenRelayGatewayFilterFactory$$Lambda/0x000001d6d18e3c08@2f1ef11, order = 1], [[SaveSession], order = 2], [[Stri
pPrefix parts = 3], order = 3], [GatewayFilterAdapter{delegate=org.springframework.cloud.gateway.filter.RouteToRequestUrlFilter@31d8c786}, order = 1
0000], [GatewayFilterAdapter{delegate=org.springframework.cloud.gateway.filter.ReactiveLoadBalancerClientFilter@651eeac1}, order = 10150], [GatewayF
ilterAdapter{delegate=org.springframework.cloud.gateway.filter.LoadBalancerServiceInstanceCookieFilter@4ae1f393}, order = 10151], [GatewayFilterAdap
ter{delegate=org.springframework.cloud.gateway.filter.WebsocketRoutingFilter@42d92748}, order = 2147483646], [GatewayFilterAdapter{delegate=org.spri
ngframework.cloud.gateway.filter.NettyRoutingFilter@62faccab}, order = 2147483647], [GatewayFilterAdapter{delegate=org.springframework.cloud.gateway.filter.ForwardRoutingFilter@573da82}, order = 2147483647]]
2025-01-14T19:00:53.134+02:00 DEBUG 34820 --- [gateway] [     parallel-3] .l.EurekaLoadBalancerClientConfiguration : Setting the value of 'spring.cloud.loadbalancer.zone' to defaultZone
2025-01-14T19:00:53.153+02:00 DEBUG 34820 --- [gateway] [     parallel-3] g.f.h.o.ObservedRequestHttpHeadersFilter : Will instrument the HTTP reques
t headers [Host:"localhost:8081", User-Agent:"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0", Accept:"application
/json", Accept-Language:"en-US,en;q=0.5", Accept-Encoding:"gzip, deflate, br, zstd", Origin:"http://localhost:5173", Referer:"http://localhost:5173/
", Sec-Fetch-Dest:"empty", Sec-Fetch-Mode:"cors", Sec-Fetch-Site:"same-site", Forwarded:"proto=http;host="localhost:8081";for="127.0.0.1:54608"", X-
Forwarded-For:"127.0.0.1", X-Forwarded-Proto:"http", X-Forwarded-Prefix:"/api/v1/backoffice", X-Forwarded-Port:"8081", X-Forwarded-Host:"localhost:8081"]
2025-01-14T19:00:53.156+02:00 DEBUG 34820 --- [gateway] [     parallel-3] g.f.h.o.ObservedRequestHttpHeadersFilter : Client observation  {name=http.
client.requests(null), error=null, context=name='http.client.requests', contextualName='null', error='null', lowCardinalityKeyValues=[http.method='G
ET', http.status_code='UNKNOWN', spring.cloud.gateway.route.id='bff_backoffice', spring.cloud.gateway.route.uri='lb://BACKOFFICE'], highCardinalityK
eyValues=[http.uri='http://localhost:8081/me'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instrument.Timer$Sample@7f
0794cd', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=3.442E-4, duration(nanos)=344200.0, startTimeNanos=1
302490395068500}'], parentObservation=org.springframework.security.web.server.ObservationWebFilterChainDecorator$PhasedObservation@259260a4} created
 for the request. New headers are [Host:"localhost:8081", User-Agent:"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133
.0", Accept:"application/json", Accept-Language:"en-US,en;q=0.5", Accept-Encoding:"gzip, deflate, br, zstd", Origin:"http://localhost:5173", Referer
:"http://localhost:5173/", Sec-Fetch-Dest:"empty", Sec-Fetch-Mode:"cors", Sec-Fetch-Site:"same-site", Forwarded:"proto=http;host="localhost:8081";fo
r="127.0.0.1:54608"", X-Forwarded-For:"127.0.0.1", X-Forwarded-Proto:"http", X-Forwarded-Prefix:"/api/v1/backoffice", X-Forwarded-Port:"8081", X-Forwarded-Host:"localhost:8081"]
2025-01-14T19:00:53.159+02:00 DEBUG 34820 --- [gateway] [     parallel-3] r.n.resources.PooledConnectionProvider   : Creating a new [proxy] client p
ool [PoolFactory{evictionInterval=PT0S, leasingStrategy=fifo, maxConnections=2147483647, maxIdleTime=-1, maxLifeTime=-1, metricsEnabled=false, pendingAcquireMaxCount=-1, pendingAcquireTimeout=0}] for [Lunacy.mshome.net/<unresolved>:7001]
2025-01-14T19:00:53.159+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.resources.PooledConnectionProvider   : [5d855469] Created a new pooled channel, now: 0 active connections, 0 inactive connections and 0 pending acquire requests.
2025-01-14T19:00:53.159+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.netty.transport.TransportConfig        : [5d855469] Initialized pipeline
 DefaultChannelPipeline{(reactor.left.loggingHandler = reactor.netty.transport.logging.ReactorNettyLoggingHandler), (reactor.left.httpCodec = io.netty.handler.codec.http.HttpClientCodec), (reactor.right.reactiveBridge = reactor.netty.channel.ChannelOperationsHandler)}
2025-01-14T19:00:53.160+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] reactor.netty.http.client.HttpClient     : [5d855469] REGISTERED
2025-01-14T19:00:53.160+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.netty.transport.TransportConnector     : [5d855469] Connecting to [Lunacy.mshome.net/127.0.0.1:7001].
2025-01-14T19:00:53.160+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] reactor.netty.http.client.HttpClient     : [5d855469] CONNECT: Lunacy.mshome.net/127.0.0.1:7001
2025-01-14T19:00:53.162+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.r.DefaultPooledConnectionProvider    : [5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] Registering pool release on close event for channel
2025-01-14T19:00:53.162+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.resources.PooledConnectionProvider   : [5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] Channel connected, now: 1 active connections, 0 inactive connections and 0 pending acquire requests.
2025-01-14T19:00:53.162+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] reactor.netty.http.client.HttpClient     : [5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] ACTIVE
2025-01-14T19:00:53.162+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.r.DefaultPooledConnectionProvider    : [5d855469, L:/127.0.0.1:50060 -
 R:Lunacy.mshome.net/127.0.0.1:7001] onStateChange(PooledConnection{channel=[id: 0x5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001]}, [connected])
2025-01-14T19:00:53.162+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.r.DefaultPooledConnectionProvider    : [5d855469-1, L:/127.0.0.1:50060
 - R:Lunacy.mshome.net/127.0.0.1:7001] onStateChange(GET{uri=/, connection=PooledConnection{channel=[id: 0x5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001]}}, [configured])
2025-01-14T19:00:53.162+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.netty.http.client.HttpClientConnect    : [5d855469-1, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] Handler is being applied: {uri=http://Lunacy.mshome.net:7001/me, method=GET}
2025-01-14T19:00:53.162+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.r.DefaultPooledConnectionProvider    : [5d855469-1, L:/127.0.0.1:50060
 - R:Lunacy.mshome.net/127.0.0.1:7001] onStateChange(GET{uri=/me, connection=PooledConnection{channel=[id: 0x5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001]}}, [request_prepared])
2025-01-14T19:00:53.162+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-2] reactor.netty.channel.FluxReceive        : [907e4250-2, L:/127.0.0.1:8081 - R:/127.0.0.1:54608] [terminated=true, cancelled=false, pending=0, error=null]: subscribing inbound receiver
2025-01-14T19:00:53.163+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] reactor.netty.http.client.HttpClient     : [5d855469-1, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] WRITE: 618B
         +-------------------------------------------------+
         |  0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f |
+--------+-------------------------------------------------+----------------+
|00000000| 47 45 54 20 2f 6d 65 20 48 54 54 50 2f 31 2e 31 |GET /me HTTP/1.1|
|00000010| 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f |..User-Agent: Mo|
|00000020| 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f |zilla/5.0 (Windo|
|00000030| 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 |ws NT 10.0; Win6|
|00000040| 34 3b 20 78 36 34 3b 20 72 76 3a 31 33 33 2e 30 |4; x64; rv:133.0|
|00000050| 29 20 47 65 63 6b 6f 2f 32 30 31 30 30 31 30 31 |) Gecko/20100101|
|00000060| 20 46 69 72 65 66 6f 78 2f 31 33 33 2e 30 0d 0a | Firefox/133.0..|
|00000070| 41 63 63 65 70 74 3a 20 61 70 70 6c 69 63 61 74 |Accept: applicat|
|00000080| 69 6f 6e 2f 6a 73 6f 6e 0d 0a 41 63 63 65 70 74 |ion/json..Accept|
|00000090| 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 55 53 |-Language: en-US|
|000000a0| 2c 65 6e 3b 71 3d 30 2e 35 0d 0a 41 63 63 65 70 |,en;q=0.5..Accep|
|000000b0| 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 |t-Encoding: gzip|
|000000c0| 2c 20 64 65 66 6c 61 74 65 2c 20 62 72 2c 20 7a |, deflate, br, z|
|000000d0| 73 74 64 0d 0a 4f 72 69 67 69 6e 3a 20 68 74 74 |std..Origin: htt|
|000000e0| 70 3a 2f 2f 6c 6f 63 61 6c 68 6f 73 74 3a 35 31 |p://localhost:51|
|000000f0| 37 33 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74 |73..Referer: htt|
|00000100| 70 3a 2f 2f 6c 6f 63 61 6c 68 6f 73 74 3a 35 31 |p://localhost:51|
|00000110| 37 33 2f 0d 0a 53 65 63 2d 46 65 74 63 68 2d 44 |73/..Sec-Fetch-D|
|00000120| 65 73 74 3a 20 65 6d 70 74 79 0d 0a 53 65 63 2d |est: empty..Sec-|
|00000130| 46 65 74 63 68 2d 4d 6f 64 65 3a 20 63 6f 72 73 |Fetch-Mode: cors|
|00000140| 0d 0a 53 65 63 2d 46 65 74 63 68 2d 53 69 74 65 |..Sec-Fetch-Site|
|00000150| 3a 20 73 61 6d 65 2d 73 69 74 65 0d 0a 46 6f 72 |: same-site..For|
|00000160| 77 61 72 64 65 64 3a 20 70 72 6f 74 6f 3d 68 74 |warded: proto=ht|
|00000170| 74 70 3b 68 6f 73 74 3d 22 6c 6f 63 61 6c 68 6f |tp;host="localho|
|00000180| 73 74 3a 38 30 38 31 22 3b 66 6f 72 3d 22 31 32 |st:8081";for="12|
|00000190| 37 2e 30 2e 30 2e 31 3a 35 34 36 30 38 22 0d 0a |7.0.0.1:54608"..|
|000001a0| 58 2d 46 6f 72 77 61 72 64 65 64 2d 46 6f 72 3a |X-Forwarded-For:|
|000001b0| 20 31 32 37 2e 30 2e 30 2e 31 0d 0a 58 2d 46 6f | 127.0.0.1..X-Fo|
|000001c0| 72 77 61 72 64 65 64 2d 50 72 6f 74 6f 3a 20 68 |rwarded-Proto: h|
|000001d0| 74 74 70 0d 0a 58 2d 46 6f 72 77 61 72 64 65 64 |ttp..X-Forwarded|
|000001e0| 2d 50 72 65 66 69 78 3a 20 2f 61 70 69 2f 76 31 |-Prefix: /api/v1|
|000001f0| 2f 62 61 63 6b 6f 66 66 69 63 65 0d 0a 58 2d 46 |/backoffice..X-F|
|00000200| 6f 72 77 61 72 64 65 64 2d 50 6f 72 74 3a 20 38 |orwarded-Port: 8|
|00000210| 30 38 31 0d 0a 58 2d 46 6f 72 77 61 72 64 65 64 |081..X-Forwarded|
|00000220| 2d 48 6f 73 74 3a 20 6c 6f 63 61 6c 68 6f 73 74 |-Host: localhost|
|00000230| 3a 38 30 38 31 0d 0a 68 6f 73 74 3a 20 4c 75 6e |:8081..host: Lun|
|00000240| 61 63 79 2e 6d 73 68 6f 6d 65 2e 6e 65 74 3a 37 |acy.mshome.net:7|
|00000250| 30 30 31 0d 0a 63 6f 6e 74 65 6e 74 2d 6c 65 6e |001..content-len|
|00000260| 67 74 68 3a 20 30 0d 0a 0d 0a                   |gth: 0....      |
+--------+-------------------------------------------------+----------------+
2025-01-14T19:00:53.165+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] reactor.netty.http.client.HttpClient     : [5d855469-1, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] FLUSH
2025-01-14T19:00:53.165+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.r.DefaultPooledConnectionProvider    : [5d855469-1, L:/127.0.0.1:50060
 - R:Lunacy.mshome.net/127.0.0.1:7001] onStateChange(GET{uri=/me, connection=PooledConnection{channel=[id: 0x5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001]}}, [request_sent])
2025-01-14T19:00:53.320+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] reactor.netty.http.client.HttpClient     : [5d855469-1, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] READ: 334B
         +-------------------------------------------------+
         |  0  1  2  3  4  5  6  7  8  9  a  b  c  d  e  f |
+--------+-------------------------------------------------+----------------+
|00000000| 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d |HTTP/1.1 200 OK.|
|00000010| 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 |.Content-Type: a|
|00000020| 70 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 0d |pplication/json.|
|00000030| 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a |.Content-Length:|
|00000040| 20 36 33 0d 0a 43 61 63 68 65 2d 43 6f 6e 74 72 | 63..Cache-Contr|
|00000050| 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 2c 20 6e 6f |ol: no-cache, no|
|00000060| 2d 73 74 6f 72 65 2c 20 6d 61 78 2d 61 67 65 3d |-store, max-age=|
|00000070| 30 2c 20 6d 75 73 74 2d 72 65 76 61 6c 69 64 61 |0, must-revalida|
|00000080| 74 65 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f 2d 63 |te..Pragma: no-c|
|00000090| 61 63 68 65 0d 0a 45 78 70 69 72 65 73 3a 20 30 |ache..Expires: 0|
|000000a0| 0d 0a 58 2d 43 6f 6e 74 65 6e 74 2d 54 79 70 65 |..X-Content-Type|
|000000b0| 2d 4f 70 74 69 6f 6e 73 3a 20 6e 6f 73 6e 69 66 |-Options: nosnif|
|000000c0| 66 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 6f |f..X-Frame-Optio|
|000000d0| 6e 73 3a 20 44 45 4e 59 0d 0a 58 2d 58 53 53 2d |ns: DENY..X-XSS-|
|000000e0| 50 72 6f 74 65 63 74 69 6f 6e 3a 20 30 0d 0a 52 |Protection: 0..R|
|000000f0| 65 66 65 72 72 65 72 2d 50 6f 6c 69 63 79 3a 20 |eferrer-Policy: |
|00000100| 6e 6f 2d 72 65 66 65 72 72 65 72 0d 0a 0d 0a 7b |no-referrer....{|
|00000110| 22 75 73 65 72 6e 61 6d 65 22 3a 22 22 2c 22 65 |"username":"","e|
|00000120| 6d 61 69 6c 22 3a 22 22 2c 22 72 6f 6c 65 73 22 |mail":"","roles"|
|00000130| 3a 5b 5d 2c 22 65 78 70 22 3a 39 32 32 33 33 37 |:[],"exp":922337|
|00000140| 32 30 33 36 38 35 34 37 37 35 38 30 37 7d       |2036854775807}  |
+--------+-------------------------------------------------+----------------+
2025-01-14T19:00:53.320+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.http.client.HttpClientOperations     : [5d855469-1, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] Received response (auto-read:false) : RESPONSE(decodeResult: success, version: HTTP/1.1)
HTTP/1.1 200 OK
Content-Type: <filtered>
Content-Length: <filtered>
Cache-Control: <filtered>
Pragma: <filtered>
Expires: <filtered>
X-Content-Type-Options: <filtered>
X-Frame-Options: <filtered>
X-XSS-Protection: <filtered>
Referrer-Policy: <filtered>
2025-01-14T19:00:53.320+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.r.DefaultPooledConnectionProvider    : [5d855469-1, L:/127.0.0.1:50060
 - R:Lunacy.mshome.net/127.0.0.1:7001] onStateChange(GET{uri=/me, connection=PooledConnection{channel=[id: 0x5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001]}}, [response_received])
2025-01-14T19:00:53.320+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] .f.h.o.ObservedResponseHttpHeadersFilter : Will instrument the response   
2025-01-14T19:00:53.322+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] .f.h.o.ObservedResponseHttpHeadersFilter : The response was handled for ob
servation {name=http.client.requests(null), error=null, context=name='http.client.requests', contextualName='null', error='null', lowCardinalityKeyV
alues=[http.method='GET', http.status_code='UNKNOWN', spring.cloud.gateway.route.id='bff_backoffice', spring.cloud.gateway.route.uri='lb://BACKOFFIC
E'], highCardinalityKeyValues=[http.uri='http://localhost:8081/me'], map=[class io.micrometer.core.instrument.Timer$Sample='io.micrometer.core.instr
ument.Timer$Sample@7f0794cd', class io.micrometer.core.instrument.LongTaskTimer$Sample='SampleImpl{duration(seconds)=0.1660812, duration(nanos)=1.66
0812E8, startTimeNanos=1302490395068500}'], parentObservation=org.springframework.security.web.server.ObservationWebFilterChainDecorator$PhasedObservation@259260a4}
2025-01-14T19:00:53.324+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] reactor.netty.channel.FluxReceive        : [5d855469-1, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] [terminated=false, cancelled=false, pending=0, error=null]: subscribing inbound receiver
2025-01-14T19:00:53.324+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.http.client.HttpClientOperations     : [5d855469-1, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] Received last HTTP packet
2025-01-14T19:00:53.327+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.r.DefaultPooledConnectionProvider    : [5d855469, L:/127.0.0.1:50060 -
 R:Lunacy.mshome.net/127.0.0.1:7001] onStateChange(GET{uri=/me, connection=PooledConnection{channel=[id: 0x5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001]}}, [response_completed])
2025-01-14T19:00:53.327+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.r.DefaultPooledConnectionProvider    : [5d855469, L:/127.0.0.1:50060 -
 R:Lunacy.mshome.net/127.0.0.1:7001] onStateChange(GET{uri=/me, connection=PooledConnection{channel=[id: 0x5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001]}}, [disconnecting])
2025-01-14T19:00:53.327+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.r.DefaultPooledConnectionProvider    : [5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] Releasing channel
2025-01-14T19:00:53.327+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] r.n.resources.PooledConnectionProvider   : [5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] Channel cleaned, now: 0 active connections, 1 inactive connections and 0 pending acquire requests.
2025-01-14T19:00:53.327+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-4] reactor.netty.http.client.HttpClient     : [5d855469, L:/127.0.0.1:50060 - R:Lunacy.mshome.net/127.0.0.1:7001] READ COMPLETE
2025-01-14T19:00:53.331+02:00 DEBUG 34820 --- [gateway] [ctor-http-nio-2] o.s.w.s.adapter.HttpWebHandlerAdapter    : [907e4250-4] Completed 200 OK

BFF logs:

2025-01-14T19:00:53.220+02:00 DEBUG 15168 --- [backoffice] [ctor-http-nio-2] o.s.w.s.adapter.HttpWebHandlerAdapter    : [3312e2a4-1] HTTP GET "/me"
2025-01-14T19:00:53.244+02:00 DEBUG 15168 --- [backoffice] [ctor-http-nio-2] s.w.s.a.AnonymousAuthenticationWebFilter : Populated SecurityContext wi
th anonymous token: 'AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[ROLE_ANONYMOUS]]'
2025-01-14T19:00:53.258+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.w.s.s.DefaultWebSessionManager       : Created new WebSession.
2025-01-14T19:00:53.262+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/logout', method=POST}
2025-01-14T19:00:53.264+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] athPatternParserServerWebExchangeMatcher : Request 'GET /me' doesn't match 'POST /logout'
2025-01-14T19:00:53.264+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : No matches found
2025-01-14T19:00:53.267+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/me', method=null}
2025-01-14T19:00:53.268+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] athPatternParserServerWebExchangeMatcher : Checking match of request : '/me'; against '/me'
2025-01-14T19:00:53.271+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/debug', method=null}
2025-01-14T19:00:53.271+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] athPatternParserServerWebExchangeMatcher : Request 'GET /me' doesn't match 'null /debug'
2025-01-14T19:00:53.271+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/actuator/health', method=null}
2025-01-14T19:00:53.271+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] athPatternParserServerWebExchangeMatcher : Request 'GET /me' doesn't match 'null /actuator/health'
2025-01-14T19:00:53.271+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : Trying to match using PathMatcherServerWebExchangeMatcher{pattern='/actuator/info', method=null}
2025-01-14T19:00:53.271+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] athPatternParserServerWebExchangeMatcher : Request 'GET /me' doesn't match 'null /actuator/info'
2025-01-14T19:00:53.271+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.s.w.s.u.m.OrServerWebExchangeMatcher : matched
2025-01-14T19:00:53.271+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] a.DelegatingReactiveAuthorizationManager : Checking authorization on '/me' using org.springframework.security.config.web.server.ServerHttpSecurity$AuthorizeExchangeSpec$Access$$Lambda/0x000001b5a16fe6a0@4b0221e4        
2025-01-14T19:00:53.274+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.s.w.s.a.AuthorizationWebFilter       : Authorization successful    
2025-01-14T19:00:53.279+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] s.w.r.r.m.a.RequestMappingHandlerMapping : [3312e2a4-1] Mapped to com.backend.backoffice.controller.MeController#getMe(Authentication)
XXXAnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[ROLE_ANONYMOUS]]
2025-01-14T19:00:53.297+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.w.r.r.m.a.ResponseBodyResultHandler  : [3312e2a4-1] Using 'application/json' given [application/json] and supported [application/json, application/*+json, application/x-ndjson, text/event-stream]
2025-01-14T19:00:53.297+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.w.r.r.m.a.ResponseBodyResultHandler  : [3312e2a4-1] 0..1 [com.backend.backoffice.controller.MeController$UserInfoDto]
2025-01-14T19:00:53.305+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] org.springframework.web.HttpLogging      : [3312e2a4-1] Encoding [UserInfoDto[username=, email=, roles=[], exp=9223372036854775807]]
2025-01-14T19:00:53.319+02:00 DEBUG 15168 --- [backoffice] [     parallel-1] o.s.w.s.adapter.HttpWebHandlerAdapter    : [3312e2a4-1] Completed 200 OK
2025-01-14T19:01:22.783+02:00 DEBUG 15168 --- [backoffice] [beatExecutor-%d] o.s.web.client.RestTemplate              : HTTP PUT http://localhost:8761/eureka/apps/BACKOFFICE/localhost:backoffice:7001?status=UP&lastDirtyTimestamp=1736874022754
2025-01-14T19:01:22.783+02:00 DEBUG 15168 --- [backoffice] [beatExecutor-%d] o.s.web.client.RestTemplate              : Accept=[application/json, application/*+json]
2025-01-14T19:01:22.798+02:00 DEBUG 15168 --- [backoffice] [reshExecutor-%d] o.s.web.client.RestTemplate              : HTTP GET http://localhost:8761/eureka/apps/delta
2025-01-14T19:01:22.798+02:00 DEBUG 15168 --- [backoffice] [reshExecutor-%d] o.s.web.client.RestTemplate              : Accept=[application/json, application/*+json]
2025-01-14T19:01:22.799+02:00 DEBUG 15168 --- [backoffice] [beatExecutor-%d] o.s.web.client.RestTemplate              : Response 200 OK
2025-01-14T19:01:22.815+02:00 DEBUG 15168 --- [backoffice] [reshExecutor-%d] o.s.web.client.RestTemplate              : Response 200 OK
2025-01-14T19:01:22.815+02:00 DEBUG 15168 --- [backoffice] [reshExecutor-%d] o.s.web.client.RestTemplate              : Reading to [org.springframework.cloud.netflix.eureka.http.EurekaApplications]
2025-01-14T19:01:22.830+02:00 DEBUG 15168 --- [backoffice] [reshExecutor-%d] o.s.web.client.DefaultRestClient         : Reading to [com.netflix.discovery.s

[ch4mpy]

I suspect that the issue you face is related to a missing session cookie with the /api/v1/backoffice/me request. Please check in your browser debugging tools that the value for the SESSION cookie is set with the /api/v1/backoffice/me, and that its value is the same as what you have with the authorization request (when you GET the URI in the login-option) and with the callback with the authorization code. Is there a reproducer I can clone and debug?

Maybe BFF isn't the most correct term

BFF stands for Backend-For-Frontend = single point of contact on the backend for a given frontend = Gateway. An "OAuth2 BFF" is a BFF with the responsibility of bridging between session-based security (for the frontend, with protection against CSRF) and Bearer-based security (for resource servers on the backend). Other applications on the backend should be configured as stateless OAuth2 resource servers (expect requests to be authorized with Bearer tokens). So calling these apps resource servers and reserving "BFF" for the Gateway is a much better idea.

Gateway as a reverse proxy to route requests internally, load balance, CORS, etc.

From the browser perspective, all requests coming through a given reverse proxy have the same origin => no need for Cross-Origin Resource Sharing configuration.

Also, a reasonably safe session cookie must be flagged same site (as well as secure and http-only). Spring session cookies have these flags raised by default. So, if the UI and the BFF are not same-site, the browser will not set the session cookie with the requests from your frontend to the BFF. The result is that the TokenRelay filter has no session to take an access token from.

As same-origin is always same-site (the other way around is not true), the easiest way is to serve the UI and the BFF through the same reverse proxy. A few possible options:

• use an Nginx instance in front of both (this is what I chose in the Baeldung article)
• define a dedicated route for the UI on the Gateway (permitAll, no save-session, no TokenRelay)
• use something like the dev-server proxy features for Angular when debugging and, for production, serve the packaged application from the Gateway static assets

Using Webflux, not using MVC

This is something you should probably reconsider. Since Java 21 and virtual threads, Webflux won't be more resource-efficient than servlets, and the later are much easier to debug. But this is not the subject here and spring-addons-starter-oidc adapts security filter-chains auto-configuration to the app nature (servlet or Webflux).

Last, you should add spring-boot-starter-oauth2-resource-server to the gateway. spring-boot-starter-oauth2-client and oauth2Login are needed for the routes with the TokenRelay, but REST resources (login-options, actuator, ...) don't need state. when both spring-boot-starter-oauth2-resource-server and spring-boot-starter-oauth2-client are on the class-path, spring-addons creates two security filter chain:

• a stateful one with oauth2Login (and protection against CSRF) for the routes matched by the security-matchers property
• a stateless one with oauth2ResourceServer for all other routes

As those auto-configured filter chains have very low precedence, you might add more with a securityMatcher and an @Order of LOWEST_PRECEDENCE - 2 (or lowest order / higher precedence).

[EmilAvramov]

Thanks for the lengthy response, appreciate the time.

The issue is indeed that the React UI and the backend are not on the same origin, wasn't aware that Spring automatically raises same-site (and after some in-depth reading, want to keep it that way). My initial plan was only for a mobile app (Kotlin) and a backend, where same-site cookies aren't an issue (since that's a browser thing), and the auxiliary React app came later (and apparently threw a monkey wrench into my plans). I'm going to use your setup with serving the React UI from nginx, since I want to keep cookies same-site. For Webflux vs MVC in 21, I have to do some further reading, thank you for the advice.

Given that nginx will be routing auth requests (Keycloak for React UI and Google OAuth for Kotlin), would you say it's sustainable/maintanable from a security perspective to keep a single gateway (doesn't really count as BFF at that point) to handle traffic from both apps (the React UI app won't generally see much traffic, the Kotlin one hopefully would)? I plan to do all resource server operations on the service behind the gateway/bff, each app will have one of those, since while the data pulled will be from the same sources, I prefer to keep the logic and the authorization claims separate.

[ch4mpy]

You should read (again?) the beginning of the Baeldung article:

• the paragraph I linked contains the warning about the reverse-proxy in front of the BFF & UI
• unless you want to display the authorization server's UI in an iframe (keep the React UI in the background as possible in the article companion project) there is no need for the requests to the authorization server to go through the same reverse-proxy as the UI & BFF.

Unless using Firebase and deploying to Google cloud, you can hardly add meta-data (like roles) to users in Google and use the access tokens issued by Google to authorize requests to your resource servers. I don't like the idea of being tied to a specific cloud provider, and I want my REST APIS to be accessible from any platform (Android, iOS, and web). As you have a Keycloak instance, you should define Google as an identity provider (enable login with Google in Keycloak) and use only Keycloak as OpenID Provider (issuer) in your backend. This will give you complete flexibility on users data and tokens content.

Because I want to keep the tokens safe on the backend (maybe other frontends than those I create consume my API, and I won't have a hand on their design), I use the same BFF for my single page and mobile apps. This requires manual handling of session and CSRF cookies in the mobile app (plus some deep-linking), but this isn't much work once you understood how you switch from a user agent to another during the authorization code flow (mobile app -> system browser -> mobile app), how user agents process cookies, and as cookies aren't shared between agents, that you have to be careful to push the authorization code to the BFF with the mobile app internal client for further REST request to your backend being part of an authorized session (the session in which the tokens retrieved with the code are stored):

• open the location in the response to the BFF authorization endpoint using the system browser (the response you get when you call what you found in login-options) instead of letting the internal client follow a redirection (my starter exposes a property to change the response status and make that possible)
• intercept with a deep link the response from the authorization server redirecting to the BFF authorization code callback endpoint, use the app internal client instead of letting the browser follow the redirection.

Resource servers should be responsible for resources access control. Implementing this access control will be much easier if all requests are authorized with tokens issued by the same authorization server (your Keycloak).