-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Description
Expected Behavior
Spring Security provides out-of-the-box some infrastructure for simplifying API key authentication implementation.
The way I understand it, it works quite similar to how Basic Authorization works:
- there's a list of issued API keys stored as hashes in some database;
- these keys are associated with permissions, so API key user (probably program) is restricted in terms of what it can do with this API key. Changing API key permissions becomes effective immediately;
- API key can be revoked at any time. Revocation here means removing API key, but can be a similar mechanism;
- API key can be temporary (i.e. limited lifetime) or permanent (it works until it's explicitly revoked);
- user sends a request with API key attached via some HTTP header, e.g.
Authorization
. Server receives request, extracts API key, searches for it in the database, checks if it's present and not expired and so on, and if it's ok - createsAuthentication
with API key permissions becoming it's granted authorities; - no sessions should ever be created for successful API key authentication.
Current Behavior
There's currently no support for this functionality (at least that I'm aware of after working with Spring Security, reading its sources and going over the list of Github issues)
Context
I was recently implementing something similar and thought if it can be added to Spring Security directly. While it does not look much harder than Basic Authorization support implementation, it has some depth in it (e.g. hashing and constant-time hash comparison).
Also I haven't found any previous conversation about API key support, which is strange. Did I miss it somewhere?