We currently have 4 Spring applications that use Spring Security Oauth2 project for authentication. The applications are REST APIs that are consumed by other internal applications in the company I work for.
Everything was working fine in the development and QA environments as we were not doing load balancing, now that we are in pre-production we are facing an issue with the load balancer (LB).
This is the workflow for this issue:
Client sends request for the oauth token
LB redirects the request to Box 1
Box 1 authenticates and returns a valid Bearer Token
Client receives the token and store it for using through the sesion
Client sends request for a service in the REST API adding the previously retrieved token to the headers
LB redirects the request to Box 2
Box 2 fails to authenticate as it does not recognize the token and returns an Invalid Credentials response
We are using an in memory user store:
Is there a way to make different boxes to share the same token store? I know there is a JdbcTokenStore that can be used to persist tokens to the db, but I would prefer to avoid persisting tokens as these applications point to a legacy database that only stores business information.
Using the database would probably be the easiest option you have. Otherwise you would have to find a way for them to know each other's tokens, that sounds way more complicated, considering setting up a database and a table is so easy.
You will need to use a TokenStore implementation that supports either external storage (e.g. a database) or distributed storage. For the latter you could use a caching framework. We had a very similar issue at work (with Keycloak), and since we already used Hazelcast we ended up using that for the distributed storage.