2

I have a public Spring web app providing REST API over HTTPS. It currently uses just HTTP basic authentication.

I was asked to implement JWT support. I would like to do it but keep simplicity - avoid stuff like OAuth (which is a must have in current Spring since former spring-security-jwt is deprecated).

In my understanding it would be secure to use JWT (in HTTPS) without OAuth. So I can benefit from JWT standard without the need of dedicated authorization server.

  • Is this setup a standard/common approach?
  • Could you please provide any example in Spring environment?

My idea was to use a library like jjwt & Spring Security.

Mamut
  • 133
  • 1
  • 10

1 Answers1

3

Yes it is ok and highly recomended. One of issues with HTTP basic authentication is that you are depended on your credentials, you need to put in the header, it is better to obtain JWT tokens(bearer,refresh) and use it as a bearer and refresh tokens, with proper expiration, refresh strategies.

Hayk Mkrtchyan
  • 29
  • 2