There is a serviceA resource (REST service) and it is addressed by serviceB .

ServiceA is protected by OAuth. In addition, it is necessary that some requests are protected using OTP (one time password), which come by SMS.

For example: there is an appeal to GET /api/user and it is necessary that service A does not immediately give JSON , but first send an SMS with the code and then check the correctness of the code.

How to organize such a security Rest service?

Used by Spring .

  • Make a separate endpoint to get OTP, do not let it start without an appropriate header. - etki
  • There is a need that other services using service A do not know this code. - George
  • They will not, it will also be sent to the user's phone. - etki
  • As an option to write an interceptor handler for an authenticated user - GenCloud

0