使用用户名和密码进行身份验证后，如何在对 API 的所有后续调用中使用 BearerToken

Question

I have a CustomAuthenticationProvider that does a POST request to an API with username and password for authentication and the API returns an access token with expiry time.

Where do I set this token, so I can use the same token to make further calls to the API as long as the user is logged in. I also wanted to validate the token for expiry time before making another request.

Is it right approach to add the token to a customAuthenticationToken that extends UsernamePasswordAuthenticationToken and set it in the SecurityContext.

Please let me know your suggestions.

Answer 1

The token needs to be in the 'authorization' header for all calls. The value should be 'Bearer ' + token. If you are using a browser it gets a bit messy - let me know.

To add the authorization bearer header to all calls from Spring Boot depends on the sort of client, eg

HttpClient httpClient= new HttpClient()
httpClient.DefaultRequestHeaders.Authorization =
        new AuthenticationHeaderValue("Bearer", token);

Where the token is stored as a, probably static , variable somewhere.

In the server side you need a Filter that validates the token and marks the request as authorised - quite a bit of work - look here

Answer 2

Well, if you need to call another REST API, then you need to set up an http client. Since you use Spring Boot 3, WebClient is a default option, but the flow is the same for any client.

You basically store your token anywhere in memory, implement isExpired check and refresh logic.

class TokenStorage {
    private String token;

    void refreshToken() { 
        var newToken = ...;
        this.token = newToken;
    } 

    boolean isExpired() { ... }

    String getToken() { 
        return token;
    } 
}

And then setup your client with custom filter so that everytime you call API, it checks whether token is expired and refreshes it if so.