Skip to content

API key authentication support #17563

@noavarice

Description

@noavarice

Expected Behavior
Spring Security provides out-of-the-box some infrastructure for simplifying API key authentication implementation.

The way I understand it, it works quite similar to how Basic Authorization works:

  • there's a list of issued API keys stored as hashes in some database;
  • these keys are associated with permissions, so API key user (probably program) is restricted in terms of what it can do with this API key. Changing API key permissions becomes effective immediately;
  • API key can be revoked at any time. Revocation here means removing API key, but can be a similar mechanism;
  • API key can be temporary (i.e. limited lifetime) or permanent (it works until it's explicitly revoked);
  • user sends a request with API key attached via some HTTP header, e.g. Authorization. Server receives request, extracts API key, searches for it in the database, checks if it's present and not expired and so on, and if it's ok - creates Authentication with API key permissions becoming it's granted authorities;
  • no sessions should ever be created for successful API key authentication.

Current Behavior

There's currently no support for this functionality (at least that I'm aware of after working with Spring Security, reading its sources and going over the list of Github issues)

Context

I was recently implementing something similar and thought if it can be added to Spring Security directly. While it does not look much harder than Basic Authorization support implementation, it has some depth in it (e.g. hashing and constant-time hash comparison).

Also I haven't found any previous conversation about API key support, which is strange. Did I miss it somewhere?

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions