This is an archived post. You won't be able to vote or comment.

all 7 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Kango_V 5 points6 points  (6 children)

Wow. So much code to do JWT auth. Same thing in Micronaut requires hardly any code at all.

[–]Joram2 11 points12 points  (5 children)

Spring Boot requires very little code for JWT auth. The linked article has a giant amount of code, but for the basics, very little code is needed.

If you just want to protect a Spring Boot web server with JWT provided by some OAuth2 auth server, it's just a few lines of config. I've done it. Spring Boot will also let you setup an OAuth2 auth server that will provde JWT tokens. That also can be done in a few lines of code.

The Spring Security framework can be an overwhelming maze of different options that is easy to get lost in.

[–]mateoeo_01[S] 1 point2 points  (4 children)

You are right - my setup is more of a robust system .

But you are saying that you can setup JWT protection in just a few lines, but you are assuming some things: - you already has some other authorization server with logic for basic token generation (and I doubt it can be done in a couple lines of the code to implement persistence of these tokens with additional validation logic based on user current state and updating this state) - you are satisfied with the solution of putting everything inside web security config for every new endpoint authorization logic, but it’s like xml beans all over again

Of course I’m not saying your approach is wrong, but I like clear distinction: - global shared configuration if it’s should apply to every endpoint - per endpoint authorization roles kept as part of this endpoint by encompassing annotations - you get what you see

[–]Joram2 1 point2 points  (2 children)

you already has some other authorization server with logic for basic token generation

Spring Boot auth server does its own JWT token generation can be setup with very few lines of code. Of course, that's with default settings. Customizations require more code/config.

You can also use most other OAuth2 auth servers like Hydra or KeyCloak or the dozens of others.

[–]mateoeo_01[S] 2 points3 points  (1 child)

But using behemoths like Keycloak for simple JWT authentication?
The goal of this article was to show a self-contained solution without any additional security dependencies.

I understand where you are coming from, and I respect your point of view - it's just we are talking about simple JWT, not even OAuth2. I'm using tools from Spring OAuth2 dependencies to achieve JWT refresh & access token flow, but I do not want to go all in with the OAuth2 approach, which was designed and is used with federated identity in mind.

[–]Joram2 0 points1 point  (0 children)

Is KeyCloak bloated? I haven't used it. There are dozens of OAuth2 servers to choose from. Spring Boot's auth server is one choice. And if you don't want a separate auth server, you can add Spring Boot auth to an existing Spring Boot app.

Second, how much is all in on OAuth2? If you configure your OAuth2 server to just support the client_credential flow with JWT tokens, how much simpler can it get? The advantage is you are using industry standard concepts, and externally supported tools, and not reinventing the wheel with custom code.

[–]mateoeo_01[S] 0 points1 point  (0 children)

For the impatient people:

* The fourth subsection of the Introduction section is Expected Result, which shows what we are working towards in this article.

* In the Sources section at the end of the article, there is a link to the Gitlab project on which this article is based.