Basic Auth + JWT vs Oauth2

I have an application consisting in microservices: gateway + discovery services + microservices.
Rigth now I'm implementing Spring security to the zuul gateway so after a succesful login it returns a JWT with the grants. So the Gateway acts as an authorization and authentication server. I think this ways the ecosistem is secure because the gatweay wont allow any unauthorized access to the endpoints.

I'm applying this flow because I dont want to indivually config every microservice. This is a single secure entry point.

And now, I've read about Oauth and made an implementation in a demo app but I dont understand correctly if Ouath2 will make easier my app or will add unnecesary complexity. I read that Spring Auth Server is not yet implemented so I think I would need to use Okta or Keycloack.

What would be the advantage of implementing Oauth2 vs Gateway + Basic Auth + JWT?

As additional note:
The app consists of different apps with different UI's, I will distinguish with user can access to what product by its group.

Thank you so much for your advice.

If I understand correctly you are using JWT without OAuth2?

> What would be the advantage of implementing Oauth2 vs Gateway + Basic
> Auth + JWT?

OAuth2 is an access delegation protocol that supports specific flows in your application. OAuth2 standarizes how your token (ex. JWT) is obtained by user or other web application. So in your case it can be understood as generating JWT tokens in a standarized way.

Are there any benefits because of that? It depends

Having an OAuth2 Authorization Server enables you to integrate some 3rd party apps with your security (only if they support OAuth2/OpenId). If it is (or will be) your case then you should consider using OAuth2 in your application.

Your current setup (Basic Auth + JWT) may have some security concerns. If I understood you correctly you are sending user credentials (username + password) in Authorization header and exchanging them for JWT? If users log in using public client (web page with login form) then you are just using OAuth2 + password grant type flow which is considered as serious security concern (https://www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications)

The question you should ask is what are potentials problems with using Basic Authentication and how those problems can be solved by OAuth2.

> And now, I've read about Oauth and made an implementation in a demo
> app but I dont understand correctly if Ouath2 will make easier my app
> or will add unnecesary complexity. I read that Spring Auth Server is
> not yet implemented so I think I would need to use Okta or Keycloack.

You don't have to use Okta or Keycloak. You can create your own Authorization Server in Spring (https://docs.spring.io/spring-security-oauth2-boot/docs/current/reference/html5/). This can be treated as another service in you microservice architecture responsible for authorization (issuing tokens for example). Optionally you could add there user management API (managing priviliges to other parts of your system) and get rid of them from gateway.

In a microservices architecture, I would strongly recommend you to have an individual Authorization microservices, to perform the authorization task.

Coming to your question of OAuth vs JWT. OAuth2 is a protocol which defines standards for how the authentication tokens have to be used. Whereas JWT is actually a token format. You could use JWT in OAuth2 as well or the more standard token format of SAML2

If not use JWT, when your system become large, more and more Auth check need to be handled by Auth Server.
With JWT, you can export user detail in the payload of token