- When user logs in first time (or after token expiration) he receives an OTP (OTP -one time password transferred via email, SMS or any other mean different from the one being used for client-server communication)
- Client includes received OTP in the next request, and gets a response with a token(Simple UUID in this case)
- Client can use this token to access secured endpoints until it expires (or request comes from different IP address, fraudulent or malicious activity is detected or any other condition)
- Whole Spring security auth flow customization(custom filters, providers, Authentication objects)
- multiple auth providers
- component based config(in lieu of deprecated WebSecurityConfigurerAdapter)