How do Anonymous User Flows Work?

How do approach anonymous user flows with Broadleaf Microservices?

The reference accelerator projects provide an example of how we would typically recommend approaching anonymous user flows using an API Gateway (e.g. Spring Cloud Gateway).

  • The storefront accelerator project utilizes a middle layer (i.e. it does not communicate directly with the backend APIs) consisting of a simple Spring Boot application based on Spring Cloud Gateway ( All requests pass through the "Commerce Gateway" as this proxy is configured with "routes" to the backend and also supports a variety of "utility" filters to aid in other ancillary request flows (e.g. anonymous user flows)
  • All requests that go through the Commerce Storefront gateway that are currently not "authorized" will pass through the OAuth2ClientCredentialsGatewayFilterFactory to retrieve and be authorized as "anonymous" before it forwards the request through to the backend services
  • In the default demo data - you'll also notice that the gateway defines "client credentials" for an authorized client called "anonymous gateway client". You'll see it load this authorized client under the default "Services Client". This defines some existing read-only scopes and permissions that you would typically associated with an "anonymous" flow.

  • From a performance standpoint, you'll also notice that OAuth2ClientCredentialsGatewayFilterFactory employs a simple caching mechanism as well so that it doesn't necessarily need to hit Auth all the time to get these client credentials.
  • Finally, in the Spring Cloud Gateway project, we also configure (at the route level), which routes need anonymous access and then enable the above filter by configuring it in the applicable application.yml file under each route.