Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Jwt Client Authentication support #9520

Closed
wants to merge 4 commits into from
Closed

Add Jwt Client Authentication support #9520

wants to merge 4 commits into from

Conversation

jgrandja
Copy link
Contributor

@jgrandja jgrandja commented Mar 24, 2021
edited
Loading

Add JWT client authentication support for private_key_jwt and client_secret_jwt.

Related specifications

RFC 7521
4.2. Using Assertions for Client Authentication

RFC 7523
2.2. Using JWTs for Client Authentication

OpenID Connect Core 1.0
9. Client Authentication

The best place to start to see how to configure and customize JWT client authentication support are the following tests:

  • DefaultAuthorizationCodeTokenResponseClientTests:

    • getTokenResponseWhenAuthenticationPrivateKeyJwtThenFormParametersAreSent()
    • getTokenResponseWhenAuthenticationClientSecretJwtThenFormParametersAreSent()

  • DefaultClientCredentialsTokenResponseClientTests:

    • getTokenResponseWhenAuthenticationPrivateKeyJwtThenFormParametersAreSent()
    • getTokenResponseWhenAuthenticationClientSecretJwtThenFormParametersAreSent()

Closes gh-8175

@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement labels Mar 24, 2021
@jgrandja jgrandja added this to the 5.5.0-RC1 milestone Mar 24, 2021
This was referenced Mar 24, 2021
Closed
Closed
@jgrandja jgrandja marked this pull request as ready for review March 31, 2021 10:36
@jgrandja jgrandja requested a review from rwinch March 31, 2021 10:36
@jgrandja jgrandja mentioned this pull request Apr 1, 2021
Closed
rwinch
rwinch requested changes Apr 7, 2021
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've left feedback inline

...springframework/security/oauth2/client/endpoint/NimbusJwtClientAuthenticationCustomizer.java Outdated Show resolved Hide resolved
...springframework/security/oauth2/client/endpoint/NimbusJwtClientAuthenticationCustomizer.java Outdated Show resolved Hide resolved
...ramework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityConverter.java Outdated Show resolved Hide resolved
...ramework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityConverter.java Outdated Show resolved Hide resolved
...ramework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityConverter.java Outdated Show resolved Hide resolved
...nt/src/main/java/org/springframework/security/oauth2/client/endpoint/JwsHeaderConverter.java Outdated Show resolved Hide resolved
...th2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/JoseHeader.java Show resolved Hide resolved
...nt/src/main/java/org/springframework/security/oauth2/client/endpoint/JwsHeaderConverter.java Outdated Show resolved Hide resolved
...ient/src/main/java/org/springframework/security/oauth2/client/endpoint/NimbusJwsEncoder.java Outdated Show resolved Hide resolved
...mework/security/oauth2/client/endpoint/NimbusJwtClientAuthenticationParametersConverter.java Show resolved Hide resolved
@jgrandja
Copy link
Contributor Author

jgrandja commented Apr 8, 2021

@rwinch I have addressed all feedback. Ready for next review.

rwinch
rwinch requested changes Apr 8, 2021
View reviewed changes
Copy link
Member

@rwinch rwinch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I think it is getting very close. I have responded to some of your replies.

...th2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/JoseHeader.java Show resolved Hide resolved
...th2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/JoseHeader.java Show resolved Hide resolved
...mework/security/oauth2/client/endpoint/NimbusJwtClientAuthenticationParametersConverter.java Show resolved Hide resolved
...ingframework/security/oauth2/client/endpoint/OAuth2AuthorizationGrantRequestEntityUtils.java Show resolved Hide resolved
rwinch
rwinch reviewed Apr 8, 2021
View reviewed changes
...mework/security/oauth2/client/endpoint/NimbusJwtClientAuthenticationParametersConverter.java
*
* @param <T> the type of {@link AbstractOAuth2AuthorizationGrantRequest}
*/
public static final class JwtClientAuthenticationContext<T extends AbstractOAuth2AuthorizationGrantRequest> {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason you went with creating JwtClientAuthenticationContext vs two converters like was done with the headers and claims in AbstractOAuth2AuthorizationGrantRequestEntityConverter

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See comment

@jgrandja
Copy link
Contributor Author

jgrandja commented Apr 8, 2021

Thanks for all the feedback @rwinch !

I applied the last bit of feedback and just merged to master.

@jgrandja jgrandja closed this Apr 8, 2021
@jgrandja jgrandja mentioned this pull request Apr 8, 2021
Closed
@jgrandja jgrandja deleted the gh-8175-jwt-client-authn branch April 8, 2021 20:48
@jgrandja jgrandja mentioned this pull request Apr 9, 2021
Closed
@jgrandja jgrandja added the status: duplicate A duplicate of another issue label Apr 9, 2021
@sabareeshkkanan
Copy link

@jgrandja do you have an working example by configuring using application.yml, trying to get this working for apple but no luck so far. Also went through the test but still cant able to get it working

@jgrandja
Copy link
Contributor Author

jgrandja commented Mar 31, 2022
edited
Loading

@sabareeshkkanan

do you have an working example by configuring using application.yml

NimbusJwtClientAuthenticationParametersConverter cannot be auto-configured from application.yml. It needs to be explicitly configured by passing it a Function<ClientRegistration, JWK> jwkResolver via constructor. The jwkResolver contains the key used to sign the Jwt Client assertion.

Please look at this test as it demonstrates the explicit code configuration.

@sabareeshkkanan
Copy link

@jgrandja It is still hard to understand how this can be done in a real world that is not a Test. Do you have an working example

@jgrandja
Copy link
Contributor Author

jgrandja commented Apr 5, 2022

I will try to find time over the next week or so to put a sample together.

@jgrandja
Copy link
Contributor Author

@sabareeshkkanan This branch has a working sample that uses Spring Authorization Server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch rwinch requested changes

Assignees
No one assigned
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
5.5.0-RC1
Development

Successfully merging this pull request may close these issues.

Support JWT for Client Authentication
3 participants
@jgrandja @sabareeshkkanan @rwinch