2

In Spring, to verify the user credentials, 'authorization' header is used. Usually, user name and password are encoded using some algorithm(commonly base 64) and passed in this header. But, validating user name and password comes under authentication, does n't it? It means, this 'authorization' header is not appropriate. It should have been called 'authentication' header.

Read https://howtodoinjava.com/spring-boot2/security-rest-basic-auth-example/

Praveen Nvs
  • 331
  • 3
  • 14

1 Answers1

1

With OAuth the Authorization header is used to send a JSON Web Token (jwt).

This token is the result of a authentication process and holds user's data like username, the issuer of the token and roles like admin. It should never contain sensitive data like password. Furthermore the token is signed by the issuer with a rsa key.

Spring uses this token for authorization. The signature is verified, so no one can claim roles by creating a fake token. The roles eg can than be uses grant/deny access to certain methods.

This article shows an example application that might help you understand the concept: https://www.baeldung.com/rest-api-spring-oauth2-angular

Chris
  • 5,109
  • 3
  • 19
  • 40
  • 1
    In the article I shared, it does contain password. Is it wrong to do that? – Praveen Nvs Apr 24 '20 at 10:06
  • It is not wrong, it is just not recommanded to do so, because if anyone steals the token, the password can be read. With a website like www.jwt.io you can parse the token and read all the values. here is a good answer to this specific question: https://stackoverflow.com/a/42652851/10020419 PS: please consider upvoting/accepting the answer if it was helpful. Thanks – Chris Apr 24 '20 at 11:00