How Spring Security 6.4’s One-Time Token Login Enhances Security and UX
Spring Security 6.4 introduces One-Time Token Login, allowing users to authenticate via a magic link sent by email instead of passwords; the article explains its core concepts, token lifecycle, essential components, and provides step‑by‑step code examples for configuring and implementing this secure, user‑friendly authentication method.
1. Overview
Spring Security 6.4 introduced a new security feature — One-Time Token Login. This login method allows users to receive a magic link via email to complete authentication, eliminating the need for traditional username/password. It improves user experience and enhances security.
For example, the mintlify documentation tool mentioned in the previous article uses this method by default.
1.1 Login Flow Diagram
1.2 Source Code Analysis
2. Core Concepts
2.1 One-Time Token
A temporary credential that can be used only once.
Usually sent to the user as a URL parameter or token string.
Typically valid for 5‑15 minutes.
2.2 Magic Link
A URL containing the one-time token.
Sent to the user via email.
Clicking it completes authentication.
3. Implementation Principles
3.1 Authentication Process
Token generation: a cryptographically secure random 128‑bit token.
Token storage: supports multiple storage options (in‑memory, Redis, database).
Email sending: asynchronously send the magic link containing the token.
Token verification: filter chain validates token validity.
Session establishment: creates a security context after successful verification.
3.2 Core Components
OneTimeTokenFilter – intercepts token verification requests.
OneTimeTokenManager – manages token lifecycle.
TokenExpirationStrategy – defines token expiration policy.
TokenVerificationHandler – handles token verification logic.
4. Implementation Steps
4.1 Add Dependency
<code><dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency></code>4.2 Configure One-Time Token Service
<code>@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/login/**").permitAll()
.anyRequest().authenticated()
)
.oneTimeTokenLogin(oneTime -> oneTime
.tokenRepository(tokenRepository())
.tokenValidityDuration(Duration.ofMinutes(5))
);
return http.build();
}
@Bean
public OneTimeTokenRepository tokenRepository() {
return new InMemoryOneTimeTokenRepository();
}
}
</code>4.3 Implement Token Generation and Sending
<code>@Service
public class OneTimeTokenService {
@Autowired
private OneTimeTokenRepository tokenRepository;
@Autowired
private EmailService emailService;
public void sendLoginToken(String email) {
String token = generateToken();
tokenRepository.save(new OneTimeToken(token, email));
String loginLink = "https://your-domain.com/login/verify?token=" + token;
emailService.sendLoginLink(email, loginLink);
}
private String generateToken() {
return UUID.randomUUID().toString();
}
}
</code>5. Summary
Spring Security 6.4’s one-time token login provides a modern, secure authentication method. With proper configuration and implementation, it delivers strong security while offering a smooth user experience. In practice, adjust parameters to suit specific scenarios and combine with other security measures to build a comprehensive solution.
Java Architecture Diary
Committed to sharing original, high‑quality technical articles; no fluff or promotional content.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.