DEV Community: Raviteja Daggupati The latest articles on DEV Community by Raviteja Daggupati (@ravitejadaggupati). https://dev.to/ravitejadaggupati https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2436910%2F72734366-da56-4590-8e5d-3ce30a21ff4e.JPG DEV Community: Raviteja Daggupati https://dev.to/ravitejadaggupati en Implementing One-Time Token Authentication with Spring Security Raviteja Daggupati Mon, 18 Nov 2024 20:24:02 +0000 https://dev.to/ravitejadaggupati/implementing-one-time-token-authentication-with-spring-security-1fpg https://dev.to/ravitejadaggupati/implementing-one-time-token-authentication-with-spring-security-1fpg <p>In today's digital landscape, providing secure and user-friendly authentication methods is crucial. One such method gaining popularity is One-Time Token (OTT) authentication, often implemented as "magic links" sent via email. Spring Security 6.4.0 provides robust built-in support for OTT authentication, including ready-to-use implementations. In this comprehensive guide, we'll explore how to implement secure OTT authentication using both built-in solutions and custom implementations.</p> <h2> Understanding One-Time Tokens vs. One-Time Passwords </h2> <p>Before diving into implementation, it's important to understand that One-Time Tokens (OTT) differ from One-Time Passwords (OTP). While OTP systems typically require initial setup and rely on external tools for password generation, OTT systems are simpler from a user perspective - they receive a unique token (usually via email) that they can use to authenticate.</p> <p>Key differences include:</p> <ul> <li>OTT doesn't require initial user setup</li> <li>Tokens are generated and delivered by your application</li> <li>Each token is typically valid for a single use and expires after a set time</li> </ul> <h2> Available Built-in Implementations </h2> <p>Spring Security provides two implementations of <code>OneTimeTokenService</code>:</p> <ol> <li> <p><strong>InMemoryOneTimeTokenService</strong>:</p> <ul> <li>Stores tokens in memory</li> <li>Ideal for development and testing</li> <li>Not suitable for production or clustered environments</li> <li>Tokens are lost on application restart</li> </ul> </li> <li> <p><strong>JdbcOneTimeTokenService</strong>:</p> <ul> <li>Stores tokens in a database</li> <li>Suitable for production use</li> <li>Works in clustered environments</li> <li>Persistent storage with automatic cleanup</li> </ul> </li> </ol> <h3> Using InMemoryOneTimeTokenService </h3> <p>Here's how to implement the simpler in-memory solution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">filterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span> <span class="o">-&gt;</span> <span class="n">auth</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/login/**"</span><span class="o">,</span> <span class="s">"/ott/**"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">oneTimeTokenLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="c1">// Uses InMemoryOneTimeTokenService by default</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h3> Using JdbcOneTimeTokenService </h3> <p>For production environments, use the JDBC implementation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="nc">JdbcTemplate</span> <span class="n">jdbcTemplate</span><span class="o">;</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">OneTimeTokenService</span> <span class="nf">oneTimeTokenService</span><span class="o">()</span> <span class="o">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">JdbcOneTimeTokenService</span><span class="o">(</span><span class="n">jdbcTemplate</span><span class="o">);</span> <span class="o">}</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">filterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">authorizeHttpRequests</span><span class="o">(</span><span class="n">auth</span> <span class="o">-&gt;</span> <span class="n">auth</span> <span class="o">.</span><span class="na">requestMatchers</span><span class="o">(</span><span class="s">"/login/**"</span><span class="o">,</span> <span class="s">"/ott/**"</span><span class="o">).</span><span class="na">permitAll</span><span class="o">()</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">)</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">oneTimeTokenLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">());</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>Required table structure for JdbcOneTimeTokenService:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="k">TABLE</span> <span class="n">one_time_tokens</span> <span class="p">(</span> <span class="n">token_value</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">PRIMARY</span> <span class="k">KEY</span><span class="p">,</span> <span class="n">username</span> <span class="nb">VARCHAR</span><span class="p">(</span><span class="mi">255</span><span class="p">)</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">issued_at</span> <span class="nb">TIMESTAMP</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">expires_at</span> <span class="nb">TIMESTAMP</span> <span class="k">NOT</span> <span class="k">NULL</span><span class="p">,</span> <span class="n">used</span> <span class="nb">BOOLEAN</span> <span class="k">NOT</span> <span class="k">NULL</span> <span class="p">);</span> </code></pre> </div> <h2> Custom Implementation </h2> <p>For more control over the token generation and validation process, you can create a custom implementation:</p> <h3> 1. Token Entity and Repository </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Entity</span> <span class="nd">@Table</span><span class="o">(</span><span class="n">name</span> <span class="o">=</span> <span class="s">"one_time_tokens"</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">OneTimeToken</span> <span class="o">{</span> <span class="nd">@Id</span> <span class="nd">@GeneratedValue</span> <span class="kd">private</span> <span class="nc">Long</span> <span class="n">id</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">tokenValue</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">String</span> <span class="n">username</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">LocalDateTime</span> <span class="n">createdAt</span><span class="o">;</span> <span class="kd">private</span> <span class="nc">LocalDateTime</span> <span class="n">expiresAt</span><span class="o">;</span> <span class="kd">private</span> <span class="kt">boolean</span> <span class="n">used</span><span class="o">;</span> <span class="c1">// Getters and setters omitted for brevity</span> <span class="o">}</span> <span class="nd">@Repository</span> <span class="kd">public</span> <span class="kd">interface</span> <span class="nc">OneTimeTokenRepository</span> <span class="kd">extends</span> <span class="nc">JpaRepository</span><span class="o">&lt;</span><span class="nc">OneTimeToken</span><span class="o">,</span> <span class="nc">Long</span><span class="o">&gt;</span> <span class="o">{</span> <span class="nc">Optional</span><span class="o">&lt;</span><span class="nc">OneTimeToken</span><span class="o">&gt;</span> <span class="nf">findByTokenValueAndUsedFalse</span><span class="o">(</span><span class="nc">String</span> <span class="n">tokenValue</span><span class="o">);</span> <span class="kt">void</span> <span class="nf">deleteByExpiresAtBefore</span><span class="o">(</span><span class="nc">LocalDateTime</span> <span class="n">dateTime</span><span class="o">);</span> <span class="o">}</span> </code></pre> </div> <h3> 2. Custom Token Service </h3> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Service</span> <span class="nd">@Transactional</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">PersistentOneTimeTokenService</span> <span class="kd">implements</span> <span class="nc">OneTimeTokenService</span> <span class="o">{</span> <span class="kd">private</span> <span class="kd">static</span> <span class="kd">final</span> <span class="kt">int</span> <span class="no">TOKEN_VALIDITY_MINUTES</span> <span class="o">=</span> <span class="mi">15</span><span class="o">;</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">OneTimeTokenRepository</span> <span class="n">tokenRepository</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">OneTimeToken</span> <span class="nf">generate</span><span class="o">(</span><span class="nc">GenerateOneTimeTokenRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">tokenValue</span> <span class="o">=</span> <span class="no">UUID</span><span class="o">.</span><span class="na">randomUUID</span><span class="o">().</span><span class="na">toString</span><span class="o">();</span> <span class="nc">LocalDateTime</span> <span class="n">now</span> <span class="o">=</span> <span class="nc">LocalDateTime</span><span class="o">.</span><span class="na">now</span><span class="o">();</span> <span class="nc">OneTimeToken</span> <span class="n">token</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">OneTimeToken</span><span class="o">();</span> <span class="n">token</span><span class="o">.</span><span class="na">setTokenValue</span><span class="o">(</span><span class="n">tokenValue</span><span class="o">);</span> <span class="n">token</span><span class="o">.</span><span class="na">setUsername</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getUsername</span><span class="o">());</span> <span class="n">token</span><span class="o">.</span><span class="na">setCreatedAt</span><span class="o">(</span><span class="n">now</span><span class="o">);</span> <span class="n">token</span><span class="o">.</span><span class="na">setExpiresAt</span><span class="o">(</span><span class="n">now</span><span class="o">.</span><span class="na">plusMinutes</span><span class="o">(</span><span class="no">TOKEN_VALIDITY_MINUTES</span><span class="o">));</span> <span class="n">token</span><span class="o">.</span><span class="na">setUsed</span><span class="o">(</span><span class="kc">false</span><span class="o">);</span> <span class="k">return</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">DefaultOneTimeToken</span><span class="o">(</span><span class="n">token</span><span class="o">.</span><span class="na">getTokenValue</span><span class="o">(),</span><span class="n">token</span><span class="o">.</span><span class="na">getUsername</span><span class="o">(),</span> <span class="nc">Instant</span><span class="o">.</span><span class="na">now</span><span class="o">());</span> <span class="o">}</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="nc">Authentication</span> <span class="nf">consume</span><span class="o">(</span><span class="nc">ConsumeOneTimeTokenRequest</span> <span class="n">request</span><span class="o">)</span> <span class="o">{</span> <span class="nc">OneTimeToken</span> <span class="n">token</span> <span class="o">=</span> <span class="n">tokenRepository</span><span class="o">.</span><span class="na">findByTokenValueAndUsedFalse</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getTokenValue</span><span class="o">())</span> <span class="o">.</span><span class="na">orElseThrow</span><span class="o">(()</span> <span class="o">-&gt;</span> <span class="k">new</span> <span class="nc">BadCredentialsException</span><span class="o">(</span><span class="s">"Invalid or expired token"</span><span class="o">));</span> <span class="k">if</span> <span class="o">(</span><span class="n">token</span><span class="o">.</span><span class="na">getExpiresAt</span><span class="o">().</span><span class="na">isBefore</span><span class="o">(</span><span class="nc">LocalDateTime</span><span class="o">.</span><span class="na">now</span><span class="o">()))</span> <span class="o">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">BadCredentialsException</span><span class="o">(</span><span class="s">"Token has expired"</span><span class="o">);</span> <span class="o">}</span> <span class="n">token</span><span class="o">.</span><span class="na">setUsed</span><span class="o">(</span><span class="kc">true</span><span class="o">);</span> <span class="n">tokenRepository</span><span class="o">.</span><span class="na">save</span><span class="o">(</span><span class="n">token</span><span class="o">);</span> <span class="nc">UserDetails</span> <span class="n">userDetails</span> <span class="o">=</span> <span class="n">loadUserByUsername</span><span class="o">(</span><span class="n">token</span><span class="o">.</span><span class="na">getUsername</span><span class="o">());</span> <span class="k">return</span> <span class="k">new</span> <span class="nf">UsernamePasswordAuthenticationToken</span><span class="o">(</span> <span class="n">userDetails</span><span class="o">,</span> <span class="kc">null</span><span class="o">,</span> <span class="n">userDetails</span><span class="o">.</span><span class="na">getAuthorities</span><span class="o">());</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Implementing Token Delivery </h2> <p>Spring Security doesn't handle token delivery, so you'll need to implement it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Component</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">EmailMagicLinkHandler</span> <span class="kd">implements</span> <span class="nc">OneTimeTokenGenerationSuccessHandler</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">JavaMailSender</span> <span class="n">mailSender</span><span class="o">;</span> <span class="kd">private</span> <span class="kd">final</span> <span class="nc">OneTimeTokenGenerationSuccessHandler</span> <span class="n">redirectHandler</span> <span class="o">=</span> <span class="k">new</span> <span class="nf">RedirectOneTimeTokenGenerationSuccessHandler</span><span class="o">(</span><span class="s">"/ott/check-email"</span><span class="o">);</span> <span class="nd">@Override</span> <span class="kd">public</span> <span class="kt">void</span> <span class="nf">handle</span><span class="o">(</span><span class="nc">HttpServletRequest</span> <span class="n">request</span><span class="o">,</span> <span class="nc">HttpServletResponse</span> <span class="n">response</span><span class="o">,</span> <span class="nc">OneTimeToken</span> <span class="n">token</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">IOException</span><span class="o">,</span> <span class="nc">ServletException</span> <span class="o">{</span> <span class="nc">String</span> <span class="n">magicLink</span> <span class="o">=</span> <span class="nc">UriComponentsBuilder</span><span class="o">.</span><span class="na">fromHttpUrl</span><span class="o">(</span><span class="nc">UrlUtils</span><span class="o">.</span><span class="na">buildFullRequestUrl</span><span class="o">(</span><span class="n">request</span><span class="o">))</span> <span class="o">.</span><span class="na">replacePath</span><span class="o">(</span><span class="n">request</span><span class="o">.</span><span class="na">getContextPath</span><span class="o">())</span> <span class="o">.</span><span class="na">replaceQuery</span><span class="o">(</span><span class="kc">null</span><span class="o">)</span> <span class="o">.</span><span class="na">fragment</span><span class="o">(</span><span class="kc">null</span><span class="o">)</span> <span class="o">.</span><span class="na">path</span><span class="o">(</span><span class="s">"/login/ott"</span><span class="o">)</span> <span class="o">.</span><span class="na">queryParam</span><span class="o">(</span><span class="s">"token"</span><span class="o">,</span> <span class="n">token</span><span class="o">.</span><span class="na">getTokenValue</span><span class="o">())</span> <span class="o">.</span><span class="na">toUriString</span><span class="o">();</span> <span class="nc">SimpleMailMessage</span> <span class="n">message</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SimpleMailMessage</span><span class="o">();</span> <span class="n">message</span><span class="o">.</span><span class="na">setTo</span><span class="o">(</span><span class="n">getUserEmail</span><span class="o">(</span><span class="n">token</span><span class="o">.</span><span class="na">getUsername</span><span class="o">()));</span> <span class="n">message</span><span class="o">.</span><span class="na">setSubject</span><span class="o">(</span><span class="s">"Your Sign-in Link"</span><span class="o">);</span> <span class="n">message</span><span class="o">.</span><span class="na">setText</span><span class="o">(</span><span class="s">"Click here to sign in: "</span> <span class="o">+</span> <span class="n">magicLink</span><span class="o">);</span> <span class="n">mailSender</span><span class="o">.</span><span class="na">send</span><span class="o">(</span><span class="n">message</span><span class="o">);</span> <span class="n">redirectHandler</span><span class="o">.</span><span class="na">handle</span><span class="o">(</span><span class="n">request</span><span class="o">,</span> <span class="n">response</span><span class="o">,</span> <span class="n">token</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Customizing URLs and Pages </h2> <p>Spring Security provides several customization options:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@Configuration</span> <span class="nd">@EnableWebSecurity</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">SecurityConfig</span> <span class="o">{</span> <span class="nd">@Bean</span> <span class="kd">public</span> <span class="nc">SecurityFilterChain</span> <span class="nf">filterChain</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">formLogin</span><span class="o">(</span><span class="nc">Customizer</span><span class="o">.</span><span class="na">withDefaults</span><span class="o">())</span> <span class="o">.</span><span class="na">oneTimeTokenLogin</span><span class="o">(</span><span class="n">ott</span> <span class="o">-&gt;</span> <span class="n">ott</span> <span class="o">.</span><span class="na">generateTokenUrl</span><span class="o">(</span><span class="s">"/custom/generate-token"</span><span class="o">)</span> <span class="c1">// Custom token generation URL</span> <span class="o">.</span><span class="na">submitPageUrl</span><span class="o">(</span><span class="s">"/custom/submit-token"</span><span class="o">)</span> <span class="c1">// Custom token submission page</span> <span class="o">.</span><span class="na">showDefaultSubmitPage</span><span class="o">(</span><span class="kc">false</span><span class="o">)</span> <span class="c1">// Disable default submit page</span> <span class="o">);</span> <span class="k">return</span> <span class="n">http</span><span class="o">.</span><span class="na">build</span><span class="o">();</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <h2> Production Considerations </h2> <p>When deploying OTT authentication in production:</p> <ol> <li> <p><strong>Choose the Right Implementation</strong></p> <ul> <li>Use JdbcOneTimeTokenService or custom implementation for production</li> <li>InMemoryOneTimeTokenService should only be used for development/testing</li> </ul> </li> <li><p><strong>Configure Email Delivery</strong><br> </p></li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code> <span class="py">spring.mail.host</span><span class="p">=</span><span class="s">smtp.your-provider.com</span> <span class="py">spring.mail.port</span><span class="p">=</span><span class="s">587</span> <span class="py">spring.mail.username</span><span class="p">=</span><span class="s">your-username</span> <span class="py">spring.mail.password</span><span class="p">=</span><span class="s">your-password</span> <span class="py">spring.mail.properties.mail.smtp.auth</span><span class="p">=</span><span class="s">true</span> <span class="py">spring.mail.properties.mail.smtp.starttls.enable</span><span class="p">=</span><span class="s">true</span> </code></pre> </div> <ol> <li> <strong>Security Best Practices</strong> <ul> <li>Set appropriate token expiration times (15 minutes recommended)</li> <li>Implement rate limiting for token generation</li> <li>Use HTTPS for all endpoints</li> <li>Monitor failed authentication attempts</li> <li>Ensure tokens are single-use and invalidated immediately after use</li> <li>Implement automatic cleanup of expired tokens</li> <li>Use secure random token generation to prevent guessing</li> </ul> </li> </ol> <h2> How It Works </h2> <ol> <li>User requests a token by submitting their email address</li> <li>System generates a secure token and sends a magic link via email</li> <li>User clicks the link and is redirected to the token submission page</li> <li>System validates the token and authenticates the user if valid</li> </ol> <h2> Conclusion </h2> <p>Spring Security's OTT support provides a robust foundation for implementing secure, user-friendly authentication. Whether you choose the built-in implementations or create a custom solution, you can offer your users a passwordless login option while maintaining high security standards.</p> <p>When implementing OTT authentication, remember to:</p> <ul> <li>Choose the appropriate implementation for your environment</li> <li>Implement secure token delivery</li> <li>Configure proper token expiration</li> <li>Follow security best practices</li> <li>Create user-friendly error handling and redirects</li> <li>Implement proper email templating for a professional look</li> </ul> <p>By following this guide, you can implement a secure and user-friendly OTT authentication system that meets your application's needs while leveraging Spring Security's robust security features.</p> <p>Reference: <a href="https://docs.spring.io/spring-security/reference/servlet/authentication/onetimetoken.html" rel="noopener noreferrer">https://docs.spring.io/spring-security/reference/servlet/authentication/onetimetoken.html</a></p> springboot springsecurity java authentication