I have found myself struggling with the right way to handle my problem. I have a simple spring boot api that authenticates a JWT token given in the header. This token is generated on the client side via Firebase Authentication.

@Configuration
@EnableWebSecurity
class SecurityConfig {
    @Bean
    @Throws(java.lang.Exception::class)
    fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
        http.cors().and().csrf().disable();
        return http.authorizeHttpRequests { request ->
            request.antMatchers("/appauth/**").authenticated()
            request.and().oauth2ResourceServer().jwt()
        }.build()
    }
}

I have this simple security chain to validate upcoming tokens from the api. Everything seems to work so far.

But how should i handle api requests that needs the uid found in the token itself? Sounds bad pass down the header on every check that needs the uid. Then extract it from the token every time on every request. Seems like there should be a better way

@GetMapping(path = ["/projects"])
fun getProjects(): String {
    val user = someRepository.getUserByUid(uid)
    return user.projects
}

I do not want to pass the uid as a query parameter. Because that would be a huge security risk

CodePudding user response：

firebaser here

Most Firebase services work exactly as you described: the clients pass the ID token on every call or every connection (depending on the service), the service decodes those and keeps a cache of recent tokens and their decoded versions to prevent decoding the same token over and over. So that'd probably be a good approach for your own API service too.