How to add passwordless authentication in Java with Spring Boot
End users often have to prove their identity in your application. We usually create an account for them to link their data. Some of it may have a higher risk level if they were to be exposed and sometimes users also authorize important operations on them.
How does authentication works?
We have an end user (a real person), a browser and a web application. Most of the times, the end user has to complete a login form with an username and a password. The browser sends the credentials to the web application via the HttpRequest in headers or in the request body.
Having the password in the query parameters it’s a bad idea because some proxies on the way may log them. The web application, after receiving and validating the credentials returns an authenticated session to the browser.
The http response can contain a sessionId via a cookie or just a token. The important thing is that in future requests, the end-user doesn’t have to add their credentials again and the browser can append this additional extra info to link the requests to the logged in user.
Everything is working since the appearance of Basic Authentication, but in time we realized that having passwords memorized by our users can create different problems…
