问题
I have a special request from our client that I'll describe below and I'm trying to find out the best fit for this kind of "strange" architecture.
So, it's about a mobile app (nativescript-angular) using firebase to authenticate their users. The authentication is done both oauth2 (facebook, google, apple) and usual login (username/password). The problem here is that all the other application resources (list of cards, create card, list of providers, etc.) are provided by a set of RESTfull end-points (spring boot) and the question is what is the best approach to secure the requests to these REST services.
The actual flow is like described below, but I'm not sure this is the best secure one.
The mobile end-user authenticates (ex. facebook) against firebase and receive back the UID and the end-user email address
With the payload from the step 1 (email, UID, first name, last name, etc.), on the call back of the process of authentication (step 1), a REST call is executed against spring boot RESTfull provider application server, to REGISTER this new client
After the new client was successful REGISTERED he will receive back a JWT that will be stored on the mobile local database or local storage.
From now on all the REST requests will be authorized using JWT token and that it.
Please see the image attached describing graphically the current proposed solution
来源:https://stackoverflow.com/questions/62018509/strange-architecture-to-secure-the-restfull-services-spring-boot-authenticati