Add support for One-Time Token Authentication

[marcusdacoregio]

Run ./gradlew publishToMavenLocal and try the Magic Link sample: https://github.com/marcusdacoregio/passwordless-spring-security

[sjohnr]

@marcusdacoregio this looks great! I had a few minor comments for your consideration.

[jzheaux]

This is so cool, @marcusdacoregio! I've left my feedback inline.

[jzheaux]

I wonder if this would benefit from a more complete example, given that they will need to allow /my-ott-submit in authorizeHttpRequests. Also, a statement that this doesn't change the POST location.

[jzheaux]

I'd probably call this generateSubmitPage or maybe showGeneratedSubmitPage (or showDefaultSubmitPage)

[jzheaux]

I think this could benefit from being called authenticationRequestUrl since it's conceptually similar to OAuth and SAML RP-initiated flows.

[jzheaux]

Also, it feels odd to me that we'd depart from referring to this as an "authentication request", but then not depart from "loginProcessingUrl". Either they should both be contextual to this auth mechanism (generateTokenUrl and tokenProcessingUrl) or they should both align with other auth mechs (authenticationRequestUrl and loginProcessingUrl).

[rwinch]

I'd prefer to use naming that matches OTT rather than borrowing from other stack's terminology. The URL is not an authentication request. It requests generating a OTT and maps to OneTimeTokenService.generate, so I prefer this name.

[jzheaux]

In that case, I think the PR would improve by consistently avoid referring to it as an authentication request. Some examples are:

• https://github.com/spring-projects/spring-security/pull/15492/files#diff-1f0c1f3e21d89097244c3e1d1d6fda15448f2ca10f53081f9ef8273321e60dbdR75
• https://github.com/spring-projects/spring-security/pull/15492/files#diff-0b1250656907699f84f5b819dbcd30e0e57fb930de8229a312ef63da9384b907R148
• https://github.com/spring-projects/spring-security/pull/15492/files#diff-59ed948eb5454b069306a935d9612e90ba45a32bec4df90eb2f2f08771f73707R69
• https://github.com/spring-projects/spring-security/pull/15492/files#diff-59ed948eb5454b069306a935d9612e90ba45a32bec4df90eb2f2f08771f73707R94
• https://github.com/spring-projects/spring-security/pull/15492/files#diff-fb7008c7001c4e4909c65029da8c59d1012cbdd08ea44dd0d514d85e99031a5eR161

Most of these are minor cleanups except for the last one, and so I've bolded it.

I think the conversation about using OTT terminology for loginProcessingUrl is still a good one to have.

[rwinch]

I'd prefer to use naming that matches OTT rather than borrowing from other stack's terminology. The URL is not an authentication request. It requests generating a OTT and maps to OneTimeTokenService.generate, so I prefer this name.

[rwinch]

I'm not sure how useful this is since nothing is done with the OneTimeToken. How would the user receive the token to consume it?

Perhaps a more useful implementation would be to set the OneTimeToken on a request attribute and then forward to a new URL. We could provide Spring MVC argument resolver to resolve the token to simplify processing this in Spring. I think all of this could be done in a future iteration.

[marcusdacoregio]

I'm not sure about a forward tho. If we forward from POST /ott/generate to /login/ott it will be a POST request, not a GET, I'm not sure how useful that is. Maybe the default implementation could store the OneTimeToken in the session and then redirect to the location.

[rwinch]

I think that the location that receives OTT would be in charge of doing something with it (e.g. sending it in an email, sending in a text message, placing it in session, etc) and then it would redirect to a new URL for the success page.

I'd like to reiterate that this can be done in a future iteration and does not need to be done now.

[marcusdacoregio]

Sure, we can continue the discussion on #15697

[rwinch]

Like the corresponding interface, I'm not sure that this is needed today.