Spring Boot: Use incoming access token for outgoing requests. (Internally pass access token from RestController to Component.)
I am wondering what is the best way in a Spring Boot application to internally pass an access token from an incoming request through the different layers, before using it in an outgoing request?
The situation is the following: I am developing a Webapp (React) and Service A (Spring Boot). Authentication is handled using Keycloak.
Depending on the use case Service A has to make a request to Service B (plain Java). Service B is completely outside of my control. All I got from it is an OpenAPI spec for the API. (I can also not change this OpenAPI spec.)
Service B must be called with an access token issued to the user that made the original request to Service A. (Therefore client credential flow for inter service communication cannot be used.)
The code of Service A is organised according to Hexagonal Architecture. The request is received by a controller (which extracts the access token) and than passed to a service which makes a request to Service B.
I cannot call Service B from the Webapp directly.
Currently I'm using the naive approach to just pass the access token as a method parameter around. But it doesn't feel right to pollute all methods with a parameter that is not related to the business logic of the application.
Is there a better way to internally pass the access token around? Extracting it in the AccountController and have access to it in the AccountAdapterRest?
The "incoming" request authorization should be accessible from Spring security-context.
In case of OAuth2, this request is authorized with a Bearer token and the Bearer string is stored in the default Authentication implementations (JwtAuthenticationToken when using a JWT decoder and BearerTokenAuthentication when using introspection).
You can retrieve it from anywhere as follow:
static Optional<JwtAuthenticationToken> getCurrentRequestAuthentication() {
if(SecurityContextHolder.getContext().getAuthentication() instanceof JwtAuthenticationToken jwtAuth) {
return Optional.of(jwtAuth);
}
return Optional.empty();
}
static Optional<String> getBearerToken() {
return getJwtAuthentication().map(JwtAuthenticationToken::getToken).map(Jwt::getTokenValue);
}
As a side note, it is not quite recommended anymore to have Javascript based applications be configured as OAuth2 public clients. You should have a look at the BFF pattern where such application never access the tokens: it is secured with session on a middleware on the server which can be configured as a confidential client, retrieve and store tokens in a secured place and replace session cookie with OAuth2 access token before forwarding a request to the resource server(s). I have written a tutorial on Baeldung with spring-cloud-gateway configured as a BFF.
- Spring Properties Decryption
- How to replace a @MockBean?
- Cant compile spring boot on java 1.8
- Unable to autowire the MapStruct mapper
- MissingDependencyException: No mapping found for dependency [type=java.lang.String, name='struts.objectFactory.spring.autoWire.alwaysRespect']
- Spring Security Virtual Threads and ThreadLocal
- AnnotationConfigurationException since upgrade to Spring Boot 3/JDK 17
- No type attribute provided for component property in log4j2 with Spring Boot
- Generating JWT token with JwtUtil class in Spring Boot resulting in NullPointerException
- Spring Boot JSP 404
- Facing the error "entityManagerFactory" while creating the demo spring boot application
- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Handler dispatch failed;
- No qualifying bean of type 'com...' available: expected at least 1 bean which qualifies as autowire candidate. Dependency annotations: {}
- Spring JdbcTemplate / NamedParameterJdbcTemplate passing null value as a parameter value
- Jackson fails due FAIL_ON_TRAILING_TOKENS but feature is disabled
- Spring Boot default H2 jdbc connection (and H2 console)
- How to post error messages to the HTML from in Struts 2?
- Spring rabbitmq testing - RabbitListenerTestHarness doesn't find any listener
- Still receiving 403 error after Spring Security login
- Using ssl certificate with feign
- How to make an annotation that calls other annotations
- How to use Hibernate reverse engineering to create annotatedClasses style?
- 415 unsupported media type angular spring boot POST PUT http methods
- MapStruct - @Mapper annotation don't create bean
- How can I correct include path for webjars?
- Spring mvc + Spring Jpa + tyhmleaf StackOverflowError
- spring-ws: no endpoint mapping found
- Spring boot with Spring data JPA: could not extract ResultSet
- How to display images and link CSS files to JSP pages
- Implements tri angluar table structure in JDBC