Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add jwt-bearer authorization grant #9535

Closed
wants to merge 2 commits into from
Closed

Add jwt-bearer authorization grant #9535

wants to merge 2 commits into from

Conversation

jgrandja
Copy link
Contributor

@jgrandja jgrandja commented Apr 1, 2021
edited
Loading

Add jwt-bearer authorization grant support.

Related specifications

RFC 7523
2.1 Using JWTs as Authorization Grants

RFC 7521
4.1 Using Assertions as Authorization Grants

Closes gh-6053

@jgrandja jgrandja requested a review from rwinch April 1, 2021 21:13
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement labels Apr 1, 2021
@jgrandja jgrandja added this to the 5.5.0-RC1 milestone Apr 1, 2021
@jgrandja jgrandja mentioned this pull request Apr 1, 2021
Closed
@jgrandja jgrandja force-pushed the gh-6053-jwt-bearer-grant-type branch from 8139073 to 7319048 Compare April 8, 2021 21:01
@jgrandja jgrandja self-assigned this Apr 9, 2021
@jgrandja jgrandja added the status: duplicate A duplicate of another issue label Apr 9, 2021
@jgrandja
Copy link
Contributor Author

jgrandja commented Apr 9, 2021

Merged via 7694aa2 eff4cdc

@jgrandja jgrandja closed this Apr 9, 2021
@jgrandja jgrandja deleted the gh-6053-jwt-bearer-grant-type branch April 9, 2021 10:44
@jgrandja jgrandja mentioned this pull request Apr 9, 2021
Closed
@H-LREB
Copy link
Contributor

H-LREB commented Apr 9, 2021

@jgrandja Thank you for the merge.

I have a question about the class JwtBearerOAuth2AuthorizedClientProvider. At line 62, the check of token expiration has been omitted. What happens if token is expired? In my understanding, the Provider will still return null. Won't this cause the expired token to be reused, resulting in a 401 error?

@jgrandja
Copy link
Contributor Author

What happens if token is expired?

Yes, the request will fail at the resource with 401 and the ServletOAuth2AuthorizedClientExchangeFilterFunction.AuthorizationFailureForwarder will handle the error and ultimately remove the OAuth2AuthorizedClient via the default RemoveAuthorizedClientOAuth2AuthorizationFailureHandler.

RemoveAuthorizedClientOAuth2AuthorizationFailureHandler is also used on authorization/re-authorization failures within OAuth2AuthorizedClientManager. Please review the OAuth2AuthorizedClientManager reference for further details.

@H-LREB
Copy link
Contributor

H-LREB commented Apr 12, 2021

Thank you @jgrandja for this information.

I understand the importance of the declaring a AuthorizationFailureForwarder, as it is necessary to clear the OAuth2AuthorizedClient when it becomes invalid.
However, in this case, the error is not exceptional or related to some unexpected behaviour. We know for sure that tokens will expire (e.g. every 5 minutes, or every hour ...etc.). This means that developers will have to handle those situations (which happen periodically).
Not only does this give more work / responsibility to development teams (e.g. by doing a retry of the business request using WebClient) but it also makes 401 errors « normal ». This makes it harder to recognize the 401 errors resulting from attack attempts.
In my humble opinion, it is much simpler and more efficient if Spring Security handles token expiration in JwtBearerOAuth2AuthorizedClientProvider (line 62), the same way it does with PasswordOAuth2AuthorizedClientProvider.

What do you think?

@jgrandja jgrandja mentioned this pull request Apr 30, 2021
Closed
@jgrandja
Copy link
Contributor Author

@H-LREB This is now fixed via gh-9700

@H-LREB
Copy link
Contributor

H-LREB commented Apr 30, 2021

That is a wonderful news.
Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rwinch rwinch Awaiting requested review from rwinch

Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
5.5.0-RC1
Development

Successfully merging this pull request may close these issues.

Support JWT as an Authorization Grant for client
2 participants
@jgrandja @H-LREB