I like to get suggestions of SO users to find the best way to solve this problem.
I use an Identity manager (that supports openid-connect), a frontend client (alias FE), a BFF (alias BFF) and two backend APIs written in spring and spring boot re. My requirement is this;
- FE redirects to IDM - gets a JWT token after successful authentication. The JWT has correct claims as well, and the discovery URL has the public key to verify the JWT token as well. FE calls an API via its BFF
- BFF calls API-1 which in turn calls API-2.
- API-2 should validate the logged-in user to ensure that the "Manager" grant is associated to the JWT token
The API-1 and API-2 above are two spring APIs and I am assuming for this question that BFF passes the jwt token to the API-1 and API-1 follows the recommended process to validate the token as well.
My question is what is the recommended way for the API-1 to get the token in the request headers and pass it to the API-2 using spring features.
(Currently, I use thread-locals to facilitate this i.e in the request filter I add the received header to a thread-local, then it carries out its logics and at the point of invoking API-2 I fetch the header on the thread-local space and pass it to API-2. I highly doubt that this is the recommended way of doing it...)