How to Identify the Client Application that Performs a Request

Question

I write a Java (Spring-Boot) service that multiple client applications can use. For maintenance/stats I would like to log which applications access the service. How can the client application be identified without trusting the client?

Additional information

• Multiple of those client applications are in docker containers behind a reverse proxy (traefik).
• Multiple of those client applications are written / maintained by the same persons. This is relevant because the request code used by a client application can be reused for another application without changing the client ID.
• I only want to hinder people copying the request code because it is faster. This solution can't be secure in my eyes and doesn't have to be. It would be good enough to recognize that two applications use the same identifier.

Approach

The idea could be to use public key authentication and bind the private key to something like the protocol/IP/port combination. The first part (public key auth.) would help clients that are interested in good maintenance/stats. The second part (binding) is a dead end in my eyes because I don't know what I could use for the binding:

• Protocol: Almost always the same.
• IP: Often the same because of few docker hosts.
• Port: I'm unsure right now, I guess random for the client request.
• Mac: Network segment is unpredictable.

Any ideas?

Answer 1

You can also add authorization via token in http headers. And rewrite all clients code to get tokens from environment on deploy (do not hardcode tokens in code in repository).

So even if new client appear by copy-paste of code it need to get token from you. And you can manage access of different apps and also in case of anomaly of load from one of apps you can "ban" this app (or degradate via reducing response speed for this particular token)/