Debugging 403 Errors with Spring Cloud Gateway, WebFlux, PingFederate, and CORS

By -

Debugging 403 Errors with Spring Cloud Gateway, WebFlux, PingFederate, and CORS



A real-world postmortem on a confusing 403 that turned out not to be OAuth, JWT, or Spring Security — but CORS.

Background

We recently ran into a frustrating issue while integrating:

  • Spring Cloud Gateway
  • Spring Boot WebFlux backend
  • PingFederate (OIDC / OAuth2)
  • A React frontend running locally (http://localhost:4200)

The request flow looked like this:

  1. User logs in via PingFederate (SSO)
  2. Frontend receives an access token
  3. Frontend sends POST requests → Gateway → Backend service

Everything worked perfectly when:

  • Calling the backend directly via Postman
  • Calling the backend directly without the gateway
  • Running everything locally

But once the request went through Spring Cloud Gateway in OpenShift, all POST requests failed with:

403 Forbidden

Why This Was Confusing

  • The same access token worked in Postman
  • GET requests succeeded, POST requests failed
  • No role or scope checks were configured
  • 401 vs 403 behavior differed across environments
  • JWT issuer, audience, and signature were correct

Everything initially pointed to an OAuth or PingFederate issue — but that assumption was wrong.

Key Observations That Cracked the Case

1. Postman Works, Browser Fails

The same request behaved differently depending on the client:

  • Postman → success
  • Browser (via gateway) → 403

This strongly suggested the problem was not token-related.

2. Adding an Origin Header Breaks Postman

When we manually added this header in Postman:

Origin: http://localhost:4200

The request immediately failed with:

403 Forbidden

This confirmed the issue was tied to CORS handling.

The Real Root Cause

CORS Enforcement by Spring Security

The backend is a Spring Boot WebFlux application configured as an OAuth2 Resource Server:

oauth2ResourceServer(oauth2 -> oauth2.jwt())

Once issuer-uri (PingFederate) is enabled, Spring Security applies stricter request validation. When an Origin header is present:

  • The request is treated as a CORS request
  • If no explicit CORS configuration exists, Spring Security rejects it
  • The result is a 403 Forbidden response

This explains why:

  • Postman works (no Origin header)
  • Browser + Gateway fails (Origin forwarded)
  • GET often works (no preflight)
  • POST fails (CORS enforced)

Why It Didn’t Happen with public-key-location

Using a legacy setup:

jwt:
  public-key-location: classpath:public.key

Spring Security behaved more permissively, and the missing CORS configuration went unnoticed.

Switching to:

jwt:
  issuer-uri: https://fed.test.example.com

activated proper OAuth2 behavior — including CORS enforcement.

The Final Fix (Local Development)

For local debugging only, we removed the Origin header in the Node gateway proxy:

if (process.env.NODE_ENV === "development" && headers.origin) {
  // Avoid Spring Security CORS rejection during local debugging
  delete headers.origin;
}

This allowed local development to proceed without weakening production security.

Recommended Production Fix

The correct long-term solution is to explicitly configure CORS in the WebFlux backend, allowing only trusted origins.

Takeaways

  • 403 does not always mean authorization failure
  • If Postman works and browsers fail, suspect CORS first
  • issuer-uri enables stricter (and correct) security behavior
  • Gateways often forward Origin headers — know how your backend handles them

This issue turned out to be a great reminder: security bugs often hide at the boundaries between systems.

❤️ Support This Blog

If this post helped you, you can support my writing with a small donation. Thank you for reading.

Coffee ☕ Thanks 🙏 Extra Support ❤️

Comments

Post a Comment

Popular posts from this blog

fixed: embedded-redis: Unable to run on macOS Sonoma

By -
Image
Issue you might see below error while trying to run embedded-redis for your testing on your macOS after you upgrade to Sonoma. java.lang.RuntimeException: Can't start redis server. Check logs for details. Redis process log: at redis.embedded.AbstractRedisInstance.awaitRedisServerReady(AbstractRedisInstance.java:70) at redis.embedded.AbstractRedisInstance.start(AbstractRedisInstance.java:42) at redis.embedded.RedisServer.start(RedisServer.java:9) Solution use the latest one: https://mv   ...
Read more

Copying MDC Context Map in Web Clients: A Comprehensive Guide

By -
Image
Introduction In distributed systems, maintaining context across microservices is crucial for effective logging and tracing. The Mapped Diagnostic Context (MDC) in logging frameworks like Logback or Log4j allows developers to propagate contextual information such as request IDs, user IDs, or correlation IDs across threads and services. When using web clients to make outgoing requests, it's essential to propagate the MDC context map to ensure consistency and traceability. This guide will provide   ...
Read more

Reset user password for your own Ghost blog

By -
Image
If you do not config mail up for your ghost blog, it maybe a big problem once you lost your user password. however, methods are always more than problems. We can fix it up by reset it. 1. Find out your database name in your ghost config, it is maybe in config.production.json   "database": {     "client": "mysql",     "connection": {       "host": "localhost",       "user": "ghost-452",       "password": "dade1b0565f2585e07c7",       "database": "ghost_production_acm" 2. Use mysql to reset the password. mysql -u root -p Enter the password for root account. mysql> use ghost_production_acm; mysql> select * from users; ghost use bcrypthash for the password. You can get bcrypt hash string from http://bcrypthashgenerator.apphb.com/ mysql>update users set password=' $2b$10$PaL8tKcU4i0CsjRrM6BhROVQMwwLFw2HSx/kWlAUgja23fNllc2Fy' where ...
Read more