Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Certificate-Bound (POP) JWT Access Token Validation #10538

Closed
segevmalool opened this issue Nov 19, 2021 · 4 comments
Closed

Support Certificate-Bound (POP) JWT Access Token Validation #10538

segevmalool opened this issue Nov 19, 2021 · 4 comments
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
6.3.0-RC1

Comments

@segevmalool
Copy link

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-pop-architecture-08
https://tools.ietf.org/id/draft-ietf-oauth-pop-key-distribution-04.html

Expected Behavior
Proof of possession enables client authentication on requests to resource servers. The oauth2 authorization server signs a JWT-formatted access token which includes the public key of client. The resource server verifies the access token against the AS JWKS, and also verifies the access token (or some part of it) against the client's public key (contained in the cnf claim, or confirmation).

I'm not fully clear on how the client would pass the signature (or shared secret and hash in the case of symmetric), so would need to figure that out for an implementation. Does anyone know a standard for this?

With some boot or web integrations, this feature could be enabled easily by a spring security user with (some variation) of the following (reactive) code:

@EnableWebFluxSecurity
class {
  @Bean
  public SecurityWebFilterChain webFilterChain(ServerHttpSecurity http) {
    http.oauth2ResourceServer().proofOfPossession();
  }
}

Current Behavior
Would have to implement custom token validation or some such to make it work.

Context
Client to resource server authentication is becoming a best practice in the industry and would enhance spring security greatly.
@segevmalool segevmalool added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Nov 19, 2021
@segevmalool
Copy link
Author

segevmalool commented Nov 19, 2021
edited
Loading

I think the move here (for reactive at least) would be to implement an extension of NimbusReactiveJwtDecoder (say, NimbusPopReactiveJwtDecoder) that includes the functionality to verify the client signature.

Then the API would be a method on ServerHttpServer.Oauth2ResourceServerSpec.JwtSpec to set the extended decoder.

I'm guessing most of these have analogous implementation on the non-reactive side of things.

@segevmalool
Copy link
Author

Another implementation option might be to add a static method to JwtValidators and add a new validator class for the PoP validation.

@sjohnr sjohnr added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 22, 2021
@jgrandja jgrandja changed the title [Enhancement] Streamlined Support for Oauth2 Resource Server Proof of Possession Validation Support Certificate-Bound (POP) Access Token Validation Nov 25, 2021
@jgrandja
Copy link
Contributor

@segevmalool We're planning on implementing this on the Authorization Server side in spring-authorization-server#101. We'll then implement the Resource Server side validation.

@jgrandja jgrandja removed their assignment Nov 25, 2021
@jgrandja jgrandja added this to the 5.7.x milestone Dec 1, 2021
@jgrandja jgrandja modified the milestones: 5.7.x, 6.0.x Mar 11, 2022
@jgrandja jgrandja removed this from the 6.0.x milestone Jun 2, 2022
@jgrandja jgrandja changed the title Support Certificate-Bound (POP) Access Token Validation Support Certificate-Bound (POP) JWT Access Token Validation Apr 11, 2024
@jgrandja jgrandja self-assigned this Apr 11, 2024
@jgrandja jgrandja added this to the 6.3.0-RC1 milestone Apr 11, 2024
@jgrandja jgrandja moved this to In Progress in Spring Security Team Apr 11, 2024
@jgrandja
Copy link
Contributor

jgrandja commented Apr 11, 2024
edited
Loading

This feature has been merged via 644cfa9.

Added a new OAuth2TokenValidator<Jwt> that validates the x5t#S256 claim in the Jwt against the SHA-256 Thumbprint of the supplied X509Certificate. This implementation is for the Servlet stack. See gh-14887 for the Reactive stack and gh-14888 for "opaque" access token validation.

Relevant specification:

@jgrandja jgrandja moved this from In Progress to Done in Spring Security Team Apr 11, 2024
This was referenced Apr 11, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
6.3.0-RC1
Development

No branches or pull requests
3 participants
@sjohnr @segevmalool @jgrandja