Skip to main content
The Auth Service (sgivu-auth) is the OAuth2/OpenID Connect authorization server that handles authentication and token issuance for the entire SGIVU platform.

Service Overview

Port

9000

Database

PostgreSQL

Session Store

JDBC (PostgreSQL)

Role

OAuth2 Authorization Server

Key Features

  • OAuth2 Authorization Server with Spring Authorization Server
  • JWT token generation using keystore-based signing
  • Session management with JDBC persistence
  • User authentication and authorization
  • Integration with User Service for user data
  • Database migration with Flyway

Base Configuration

Server Settings

server:
  port: ${PORT:9000}
  forward-headers-strategy: framework
The forward-headers-strategy: framework enables proper handling of proxy headers from the gateway.

Session Management

The auth service uses JDBC-based session storage: 
spring:
  session:
    store-type: jdbc
    jdbc:
      initialize-schema: never
      table-name: SPRING_SESSION
      cleanup-cron: 0 */15 * * * *
      flush-mode: on_save
      save-mode: on_get_attribute
  • store-type: jdbc - Sessions stored in PostgreSQL
  • **cleanup-cron: 0 */15 * * * *** - Cleans expired sessions every 15 minutes
  • flush-mode: on_save - Writes to database only when explicitly saved
  • save-mode: on_get_attribute - Session saved when attributes are accessed

JWT Configuration

The service uses a keystore to sign JWT tokens: 
sgivu:
  jwt:
    keystore:
      location: ${JWT_KEYSTORE_LOCATION}
      password: ${JWT_KEYSTORE_PASSWORD}
    key:
      alias: ${JWT_KEY_ALIAS}
      password: ${JWT_KEY_PASSWORD}
These credentials must be kept secure and never committed to source control. Use environment variables or secure secret management.

Issuer Configuration

issuer:
  url: ${ISSUER_URL:http://sgivu-auth:9000}
This URL is used in JWT tokens as the iss claim and must be accessible by all services.

Database Configuration

JPA Settings

spring:
  jpa:
    open-in-view: false
open-in-view: false prevents lazy loading issues by ensuring all database operations occur within transaction boundaries.

Flyway Migration

spring:
  flyway:
    enabled: true
    locations: classpath:db/migration
    baseline-on-migrate: ${FLYWAY_BASELINE_ON_MIGRATE:false}
    baseline-version: 0
    validate-on-migrate: true

spring:
  datasource:
    url: jdbc:postgresql://${DEV_AUTH_DB_HOST:host.docker.internal}:${DEV_AUTH_DB_PORT:5432}/${DEV_AUTH_DB_NAME}
    username: ${DEV_AUTH_DB_USERNAME}
    password: ${DEV_AUTH_DB_PASSWORD}
    driver-class-name: org.postgresql.Driver
  jpa:
    hibernate:
      ddl-auto: validate
    show-sql: true
    properties:
      hibernate:
        format_sql: true
  flyway:
    baseline-on-migrate: true
    clean-disabled: false
Development enables SQL logging and allows Flyway clean operations for testing.

Service Integration

Eureka Registration

eureka:
  instance:
    instance-id: ${spring.cloud.client.hostname}:${spring.application.name}:${random.value}
  client:
    service-url:
      defaultZone: ${EUREKA_URL:http://sgivu-discovery:8761/eureka}

Service Discovery Map

services:
  map:
    sgivu-user:
      name: sgivu-user
      url: ${SGIVU_USER_URL:http://sgivu-user:8081}
The auth service communicates with the User Service to retrieve user details during authentication.

Gateway Client Configuration

gateway-client:
  url: ${SGIVU_GATEWAY_URL:http://sgivu-gateway:8080}
  secret: ${SGIVU_GATEWAY_SECRET}
This configuration defines the OAuth2 client credentials for the gateway.

Security Configuration

Internal Service Authentication

service:
  internal:
    secret-key: ${SERVICE_INTERNAL_SECRET_KEY}
This shared secret authenticates internal service-to-service API calls.

Session Configuration

spring:
  session:
    timeout: 2h
Development sessions last 2 hours for convenience.

Client Configuration

angular-client:
  url: ${DEV_ANGULAR_APP_URL}
Defines the allowed redirect URIs for the Angular frontend application.

Observability

Actuator Endpoints

management:
  endpoints:
    web:
      exposure:
        include: "*"
  endpoint:
    health:
      show-details: always
All actuator endpoints exposed for debugging.

Distributed Tracing

management:
  tracing:
    sampling:
      probability: 0.1
  zipkin:
    tracing:
      endpoint: http://sgivu-zipkin:9411/api/v2/spans
Samples 10% of requests to reduce overhead while maintaining visibility into system behavior.

Logging

logging:
  level:
    root: INFO

API Documentation

springdoc:
  swagger-ui:
    url: /docs/auth/v3/api-docs
    configUrl: /docs/auth/v3/api-docs/swagger-config

openapi:
  server:
    url: ${OPENAPI_SERVER_URL}
Production overrides the server URL for public API documentation.

Required Environment Variables

All Environments

VariableDescriptionExample
SERVICE_INTERNAL_SECRET_KEYShared secret for internal APIsyour-secret-key
JWT_KEYSTORE_LOCATIONPath to JWT keystoreclasspath:keystore.jks
JWT_KEYSTORE_PASSWORDKeystore passwordchangeit
JWT_KEY_ALIASKey alias in keystoresgivu-jwt
JWT_KEY_PASSWORDKey passwordchangeit
SGIVU_GATEWAY_SECRETGateway OAuth2 client secretgateway-secret

Development

VariableDescription
DEV_AUTH_DB_HOSTDatabase host
DEV_AUTH_DB_PORTDatabase port
DEV_AUTH_DB_NAMEDatabase name
DEV_AUTH_DB_USERNAMEDatabase username
DEV_AUTH_DB_PASSWORDDatabase password
DEV_ANGULAR_APP_URLAngular app URL

Production

VariableDescription
PROD_AUTH_DB_HOSTDatabase host
PROD_AUTH_DB_PORTDatabase port
PROD_AUTH_DB_NAMEDatabase name
PROD_AUTH_DB_USERNAMEDatabase username
PROD_AUTH_DB_PASSWORDDatabase password
PROD_ANGULAR_APP_URLAngular app URL
OPENAPI_SERVER_URLPublic API docs URL

Optional

VariableDescriptionDefault
PORTService port9000
EUREKA_URLEureka server URLhttp://sgivu-discovery:8761/eureka
ISSUER_URLJWT issuer URLhttp://sgivu-auth:9000
SGIVU_USER_URLUser service URLhttp://sgivu-user:8081
FLYWAY_BASELINE_ON_MIGRATEBaseline existing DBfalse

Configuration Files

  • sgivu-auth.yml - Base configuration
  • sgivu-auth-dev.yml - Development overrides
  • sgivu-auth-prod.yml - Production overrides

Gateway Service

OAuth2 client configuration

User Service

User data provider

Build docs developers (and LLMs) love

Get started for freeTalk to us