User Login Flow

[Dynavy]

Authentication Flow and JWT Generation in an API

In an authentication application, the flow to authenticate a user and generate a JWT for future requests follows these steps:

1. Request from the Frontend:

   The frontend makes a POST request to the AuthController sending the username and password as part of the request body. This information is received in the backend as a DTO called UserLoginRequest.

2. Initial Validation (DTO and BindingResult):

   The controller uses the @Valid annotation along with BindingResult to validate the UserLoginRequest. If there are validation errors (e.g., empty fields), a response with a 400 error and an appropriate message is returned. If there are no errors, the flow continues with the user authentication.

3. Authentication in the AuthenticationService:

   The AuthenticationService handles the authentication:

   • It creates a UsernamePasswordAuthenticationToken using the provided username and password.

   • This token is passed to the AuthenticationManager.

   • The AuthenticationManager is typically defined as a @Bean in the SecurityConfig or similar configuration class. It already has built-in methods to handle authentication automatically. It uses the UserDetailsServiceImpl to query the UserRepository and validate the user credentials.

   • If the user is found, the AuthenticationManager validates the password using the passwordEncoder. If the validation is successful, authentication is considered successful.

4. JWT Generation:

   Once authentication is successful, the JwtService is responsible for generating the JWT. It is important to note that tokens should be generated in the respective services and not in the controllers.

   • The JwtService creates the token, signs it with a secret key, and sets an expiration date.

   • This JWT is wrapped in a DTO called JwtResponse, which organizes the response and contains relevant information such as the token and its validity duration.

5. Response from the Endpoint (AuthController):

   Finally, the AuthController returns the JwtResponse to the frontend. The frontend can store this token (e.g., in localStorage or as a cookie) and use it to authenticate future requests to the backend. It is important to mention that backend responses, such as the JwtResponse in this case, should always be returned as JSON to maintain an organized and easy-to-consume structure.

Mermaid Diagram:

[Dynavy]

Login flow 07/03/2025
@poksyy @krschan

[poksyy]

WOW I like AuthenticationManager layer. Thanks for the info @Dynavy ! 🤙

[krschan]

https://www.youtube.com/watch?v=3WAOxKOmR90