I have a number of applications reporting to a SpringBoot Admin application using SpringBoot Admin Client. One of our recent projects that's under construction is using a custom JWT/refresh token authentication flow and I want SpringBoot Admin to use that before hitting the actuator endpoints so I can secure those as well.
The flow works by sending credentials to /v1/auth/login, which will give the user a JWT token with expiration date and refresh token. The JWT is only valid for a short time after which it needs to be refreshed and is submitted with the request as a Bearer-token.
I found this this thread which is somewhat related, but I need to be able to see which endpoint it's trying to access since not all of the applications use the same kind of authentication.
Is there some way I can configure it to add the Authorization header with the correct headers given a URL or client name that matches a certain pattern? Preferably as part of some component that could keep JWT/expiry/refresh token as part of it's state, so I could refresh it when necessary.
Wouldn't it be enough to have some identifier of application (e.g. app name) and based on that differentiate the auth?
@Bean
public HttpHeadersProvider customHttpHeadersProvider(YourCustomProperties properties) {
return instance -> {
if (properties.getAppNames().contains(instance.getRegistration().getName())) {
// do jwt stuff here
return new HttpHeaders();
}else {
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.add("X-CUSTOM", "My Custom Value");
return httpHeaders;
}
};
}
Not sure what would be the best identifier to get from instance but this could work.