x5t:base64encodedthumbprint and typ:JWT missing in generated client_assertion

[marcerik]

Describe the bug
I use Spring Boot 2.5.0 where Spring Security 5.5.0 is included.

From issue #8175 I read that "partial" support for JWT OAuth 2.0 Client Authentication and Authorization Grant is implemented.

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate

I set up everything in Spring Boot and initiate token access chain.

It seems like Header parameters "x5t:base64EncodedThumprintHere" and "typ:JWT" inside the signed client_assertion are not sent to to the Azure AD at all, only ALG:RS256 is sent in the Header. Claims are created correctly.

During debug I observe that in method "private static JoseHeader addKeyIdentifierHeadersIfNecessary(JoseHeader headers, JWK jwk)" in NimbusJwsEncoder.java neither "x5t:base64thumbprinthere" nor typ:JWT header gets added. On the other hand I am able to get the "x5t#S256" parameter populated, but Azure AD does not accept it.

To Reproduce

Expected behavior
"x5t:base64EncodedThumprintHere" and "typ:JWT" should be added to the header.

Related gh-9208

[jgrandja]

Thanks for the report @marcerik.

You mention x5t:base64EncodedThumprintHere but do you mean the x5t header?

The ability to customize the Jwt client assertion will be allowed after we merge gh-9208. See this related comment.

[marcerik]

Sorry for the confusion. What I mean is that the the "x5t" and "typ" header parameters are missing from the client_assertion.

[jgrandja]

No worries @marcerik. This issue will be resolved after gh-9208 is merged, which will provide the ability to fully customize the Jwt assertion.

[jgrandja]

@marcerik I'm going to close this as a duplicate of gh-9855.

Please follow gh-9855 to ensure the enhancement meets your requirements. It's planned for 5.7.x.