Best way to PASS JWT tokens from one SPRING API to another

1
votes

I like to get suggestions of SO users to find the best way to solve this problem.

I use an Identity manager (that supports openid-connect), a frontend client (alias FE), a BFF (alias BFF) and two backend APIs written in spring and spring boot re. My requirement is this;

  1. FE redirects to IDM - gets a JWT token after successful authentication. The JWT has correct claims as well, and the discovery URL has the public key to verify the JWT token as well. FE calls an API via its BFF
  2. BFF calls API-1 which in turn calls API-2.
  3. API-2 should validate the logged-in user to ensure that the "Manager" grant is associated to the JWT token

enter image description here The API-1 and API-2 above are two spring APIs and I am assuming for this question that BFF passes the jwt token to the API-1 and API-1 follows the recommended process to validate the token as well.

My question is what is the recommended way for the API-1 to get the token in the request headers and pass it to the API-2 using spring features.

(Currently, I use thread-locals to facilitate this i.e in the request filter I add the received header to a thread-local, then it carries out its logics and at the point of invoking API-2 I fetch the header on the thread-local space and pass it to API-2. I highly doubt that this is the recommended way of doing it...)

1
javaspringsecurityjwt
anyone who could help on this ? :( isn't this question clear enough? or is this something that i should not do in a production setup?code_kbd
In our current project setup, the FE passes the login request to the openid connect provider and gets a JWT. The FE then calls the BE passing the JWT as a bearer token in the Authorization header. In our case , all the BE calls go via our api gateway which validates the JWT using the JWKS.T Anna
thanks a lot for answering - however this means that the API gateway will quite over loaded with all the internal requests going thru as well ? I thought about this as well - but skeptical about it since it goes back to the API gateway while we actually have all the details on the jwt to authorize.code_kbd
Ok I think I get what you are saying. Yes, even for us, internal calls between apis don't go via the gateway. But even if thats the case and if you have to pass the JWT between apis, why not use the standard Authorization header and send it as a bearer token when calling the rest endpoint of the second api.T Anna
hi anna. I do that now. As i have mentioned, I actually use thread locals to do it and save the JWT on the thread local and then i pass it to other apis. however, is it the acceptable way of doing is my question? It becomes cumbersome since i have a service that calls 8-10 others services as well. thanks again for your comment.code_kbd

1 Answers

0
votes

My question is what is the recommended way for the API-1 to get the token in the request headers and pass it to the API-2

You can specify the request header as the service method parameter

example

@GetMapping("/greeting")
public ResponseEntity<String> greeting(
  @RequestHeader("Authorization") String authnHeader) {

and you can use a RequestTemplate to pass the Authorization header value to the backend calls.

POST example2

MultiValueMap<String, String> headers = new 
LinkedMultiValueMap<String, String>();
headers.add("Authorization", authnHeader);
headers.add("Content-Type", "application/json");

RestTemplate restTemplate = new RestTemplate();

HttpEntity<ObjectToPass> request = new 
HttpEntity<ObjectToPass>(objectToPassInstance, headers);

restTemplate.postForObject(urlPost, request, Boolean.class);