Scenario Spring cloud gateway as Oauth2-client. Authorization rules configured in services behind gateway. when end user send a request to service through gateway, and the micro service return an unauthorized response.
Expected Behavior Spring security examine the response status, if the status if unauthorized(401) then commence the authentication process, otherwise returns response as it is.
Current Behavior Spring cloud gateway returns exactly the response returned by service behind gateway.
Context one of the workaround is configure the service's authorization rules on spring cloud gateway. But obviously it's better to let the service decides whether a url needs authorization or not.
Comment From: jzheaux
This sounds like something that should be configured in the gateway. If a service is fronted by a gateway, the typical arrangement is that the service will commence authentication by returning a 401. Then, the gateway reacts to that 401. You can see this sample and its behavior when requesting :8000/flights/all without authentication.
I'd recommend either asking this question on StackOverflow (and posting the link to your question here so others can follow) or posting your concern to the Spring Cloud team.