msvc-auth: Spring OAuth2 Authorization Server (Port 9000)
OAuth2 Authorization Server on port 9000 issuing signed JWTs. Supports Authorization Code and OIDC 1.0. Delegates user credential lookup to msvc-usuarios.
Use this file to discover all available pages before exploring further.
msvc-auth is a Spring Authorization Server (Spring Boot 3.5 / Spring Cloud 2025) running on port 9000. It has no database of its own — all user credential lookups are delegated to msvc-usuarios via a reactive WebClient call to the /login endpoint. Once credentials are verified it issues signed JWT access tokens and handles the full OAuth2 Authorization Code flow with OIDC 1.0 support.
A single registered client (usuarios-client) is stored in memory and configured in SecurityConfig.java. The client secret is BCrypt-encoded at startup — the plain-text value is 12345.
Property
Value
Client ID
usuarios-client
Client Secret
12345 (BCrypt encoded at runtime)
Authentication Method
CLIENT_SECRET_BASIC
Grant Types
authorization_code, refresh_token
Scopes
openid, read, write
Redirect URI
${LB_AUTH_REDIRECT_URI}/authorized
Post-Logout Redirect URI
${LB_AUTH_REDIRECT_URI}/authorized
Requires Consent
true
The redirect URI is assembled at startup from the LB_AUTH_REDIRECT_URI environment variable, so the same Docker image can be deployed to any environment without rebuilding.
Spring Authorization Server exposes the following standard endpoints automatically:
Method
Path
Description
GET
/oauth2/authorize
Start the Authorization Code flow
POST
/oauth2/token
Exchange authorization code for tokens
GET
/oauth2/jwks
Public RSA key set (JWK Set URI)
GET
/userinfo
OIDC UserInfo (requires openid scope)
POST
/oauth2/revoke
Revoke an access or refresh token
GET
/.well-known/oauth-authorization-server
OAuth2 server metadata document
Resource servers such as msvc-usuarios resolve the issuer metadata and JWK Set at startup. Point them to http://msvc-auth:9000 (or the value of LB_AUTH_ISSUER_URI) so they can validate tokens without any additional configuration.
The public key is published at /oauth2/jwks as a JWK Set so that resource servers can verify token signatures. A random keyID (UUID) is assigned to each pair.
Keys are not persisted. Every restart generates a new key pair, which invalidates all previously issued tokens. In production, consider externalising the key pair via Kubernetes Secrets and injecting it as a JWKSource bean.
Base URL appended with /authorized as the OAuth2 redirect URI
http://msvc-usuarios:8001
msvc-auth uses Spring Cloud Kubernetes client-side load balancing (spring-cloud-starter-kubernetes-client-loadbalancer). When deployed to Kubernetes, the WebClient call to http://msvc-usuarios/login resolves automatically through Kubernetes service discovery — no hard-coded IP addresses are needed.
The image uses a two-stage build: the builder stage compiles and packages the JAR with Maven Wrapper, and the runtime stage copies only the JAR to keep the final image small.
msvc-authrequires msvc-usuarios to be running before it can authenticate any user. The UsuarioService calls GET /login?email={email} on msvc-usuarios inside loadUserByUsername. If the upstream service is unreachable, the login attempt will fail with UsernameNotFoundException.