2

I like to get suggestions of SO users to find the best way to solve this problem.

I use an Identity manager (that supports openid-connect), a frontend client (alias FE), a BFF (alias BFF) and two backend APIs written in spring and spring boot re. My requirement is this;

  1. FE redirects to IDM - gets a JWT token after successful authentication. The JWT has correct claims as well, and the discovery URL has the public key to verify the JWT token as well. FE calls an API via its BFF
  2. BFF calls API-1 which in turn calls API-2.
  3. API-2 should validate the logged-in user to ensure that the "Manager" grant is associated to the JWT token

enter image description here The API-1 and API-2 above are two spring APIs and I am assuming for this question that BFF passes the jwt token to the API-1 and API-1 follows the recommended process to validate the token as well.

My question is what is the recommended way for the API-1 to get the token in the request headers and pass it to the API-2 using spring features.

(Currently, I use thread-locals to facilitate this i.e in the request filter I add the received header to a thread-local, then it carries out its logics and at the point of invoking API-2 I fetch the header on the thread-local space and pass it to API-2. I highly doubt that this is the recommended way of doing it...)

code_kbd
  • 450
  • 4
  • 11
  • anyone who could help on this ? :( isn't this question clear enough? or is this something that i should not do in a production setup? – code_kbd Jul 26 '20 at 21:48
  • 1
    In our current project setup, the FE passes the login request to the openid connect provider and gets a JWT. The FE then calls the BE passing the JWT as a bearer token in the Authorization header. In our case , all the BE calls go via our api gateway which validates the JWT using the JWKS. – T Anna Jul 26 '20 at 22:18
  • thanks a lot for answering - however this means that the API gateway will quite over loaded with all the internal requests going thru as well ? I thought about this as well - but skeptical about it since it goes back to the API gateway while we actually have all the details on the jwt to authorize. – code_kbd Jul 28 '20 at 06:53
  • Ok I think I get what you are saying. Yes, even for us, internal calls between apis don't go via the gateway. But even if thats the case and if you have to pass the JWT between apis, why not use the standard Authorization header and send it as a bearer token when calling the rest endpoint of the second api. – T Anna Jul 28 '20 at 09:00
  • hi anna. I do that now. As i have mentioned, I actually use thread locals to do it and save the JWT on the thread local and then i pass it to other apis. however, is it the acceptable way of doing is my question? It becomes cumbersome since i have a service that calls 8-10 others services as well. thanks again for your comment. – code_kbd Jul 28 '20 at 16:04

1 Answers1

1

My question is what is the recommended way for the API-1 to get the token in the request headers and pass it to the API-2

You can specify the request header as the service method parameter

example

@GetMapping("/greeting")
public ResponseEntity<String> greeting(
  @RequestHeader("Authorization") String authnHeader) {

and you can use a RequestTemplate to pass the Authorization header value to the backend calls.

POST example2

MultiValueMap<String, String> headers = new 
LinkedMultiValueMap<String, String>();
headers.add("Authorization", authnHeader);
headers.add("Content-Type", "application/json");

RestTemplate restTemplate = new RestTemplate();

HttpEntity<ObjectToPass> request = new 
HttpEntity<ObjectToPass>(objectToPassInstance, headers);

restTemplate.postForObject(urlPost, request, Boolean.class);
gusto2
  • 11,210
  • 2
  • 17
  • 36
  • My question is more on how to pass the token within the code base as well. ur answer is correct when considering the portion of passing the "token" from api-1 to api-2 - but how does it keep the token in the session on api-1 before passing it to api-2 (thread locals?) – code_kbd Dec 22 '22 at 05:41
  • apologies for not being clear on the original question – code_kbd Dec 22 '22 at 05:42