Sorry if throwing a bit of wrench in your way but in general nowadays OAuth2.0 bearer token based authentication with API’s is the preferred way to do things.

This way you don’t have to send the username/password to the site, just the JWT token signed by the identity provider. It is of course depending on the case, but usually frameworks support OAuth quite easily, and you don’t have to worry about storing the credentials yourself.

I think using AuthenticationProvider is a bit overkill. I usually make a AuthenticationManager Bean. like this:

@Bean public AuthenticationManager authenticationManager(PasswordEncoder passwordEncoder, CustomUserDetailsService customUserDetailsService) throws Exception { var auth = new DaoAuthenticationProvider(); auth.setPasswordEncoder(passwordEncoder); auth.setUserDetailsService(customUserDetailsService); return new ProviderManager(auth); }

Here I provide the DoaAuthenticationProvider which is a Spring class used for Users stored in the DB. These DB-Users can implement the UserDetails interface (mine actually don’t I translate it later), because that’s the interface Spring Security uses to authenticate user credentials.

I also provide a CustomUserDetailsService which is a @Service class that implements the UserDetailsService interface and it’s loadByUsername method, which fetches the user from the database and translates it’s username, password and authority into a UserDetails instance.

Alternatively, you can make a UserDetails Bean with InmemoryAuthentication like here. This is great for practicing security, because you can skip the step of storing Users in the DB and just declare them there, but it’s not good for real world applications for obvious reasons.

(p.s. I hope this answers your question, next time provide your relevant code snippets or maybe a full github repo)