I was looking at one of two methods for preventing direct access to my public anonymous Spring REST API. Either do one of the following:
1) Use Client Credentials flow and secure the password for client credentials on something like Hashicorp Vault that resides on the same server as my Angular UI app and my Spring REST app. I am wanting to verify the client, not the user. I like this credentials approach better than #2 below because in the future I can use Password flow for mobile clients and other desktop clients that require user authentication.
2) Whitelist urls on the Spring REST controller that allows only requests that come from my Angular UI client. This approach seems to not be valid for mobile clients where IP varies.
Can anyone speak to my dilemma?
Thanks.