There is a need to do not classic token authentication via Spring Security, but using a protocol with zero disclosure. For example, Feiga-Fiat-Shamir . Can this be done?

PS In essence, the question boils down to whether authentication can be made interactive - i.e. not just sending a token, but reusable mutual sending of information and based on the results of deciding whether a user can be authenticated.

    1 answer 1

    At the lower level in the spring, ordinary authentication is implemented with a simple hardcode — the request checks the accessToken or Authentication parameter of the header beginning with the Bearer string, after which the token is pulled from the user info database, after which it is written into the security context of the spring, which is normal Singleton .

    Therefore, I think, the answer to your question is simple: it cannot be standard means. If you need something minimally different from simple standards, you need to implement all operations manually. Those. manually register the logic of data exchange between the client and server in the form you need, whether it is a chain of http requests or data exchange through sockets.

    • Suppose, is it possible to do this in the form of a REST service that will change the security context? Say, tie him to a Bean, which will save the state and remember how many iterations are done. - Kiryl Aleksandrovich
    • @Bulbum, as I understand it - yes, you can. True, if there are several requests, and not one, then you will need to store the identification of various client requests in some place. Those. that this is the second step of user A, and this is the third step of user B. Type. Some intermediate tokens in the database are stored and sent to the client, so that in the next requests you can understand which step of which user is. - Yuriy SPb
    • one
      This is a very pertinent remark. I will consider, thanks. - Kiryl Aleksandrovich