Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide ability to customize claims in Jwt Client Assertion #9855

Closed
christophejan opened this issue Jun 2, 2021 · 3 comments · Fixed by #10972
Closed

Provide ability to customize claims in Jwt Client Assertion #9855

christophejan opened this issue Jun 2, 2021 · 3 comments · Fixed by #10972
Assignees
@sjohnr
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.7.0-M3

Comments

@christophejan
Copy link
Contributor

christophejan commented Jun 2, 2021
edited by jgrandja
Loading

Currently spring security OAuth 2.0 client use provider details token uri as value for JWT aud claim of the assertion in OAuth 2.0 Client Authentication.

rfc 7523 say :

The token endpoint URL of the authorization server MAY be used as a value for an "aud" element to identify the authorization server as an intended audience of the JWT.

Rfc say may, not must. I would like to be able to use another value (I have to call a oauth 2 server that require a value different from the token url).

Current spring security behavior is provided by NimbusJwtClientAuthenticationParametersConverter. Overriding it’s behavior requires to copy/paste hundreds of lines as it’s a final class and it use many package-private classes.

Related gh-9208
@christophejan christophejan added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jun 2, 2021
@christophejan christophejan changed the title Give ability to configure aud claim value in OAuth 2.0 Client Authentication and Authorization Grants assertion Give ability to configure aud claim value in OAuth 2.0 Client Authentication assertion Jun 2, 2021
@marcusdacoregio marcusdacoregio added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 2, 2021
@jgrandja
Copy link
Contributor

jgrandja commented Jun 7, 2021

@christophejan We are looking to merge gh-9208 for 5.6, which is needed before we can allow customization of the Jwt client assertion.

@jgrandja jgrandja added this to the 5.6.x milestone Jun 7, 2021
This was referenced Jun 7, 2021
Closed
Closed
@jgrandja jgrandja changed the title Give ability to configure aud claim value in OAuth 2.0 Client Authentication assertion Provide ability to customize claims in Jwt Client Assertion Oct 20, 2021
@jgrandja jgrandja modified the milestones: 5.6.x, 5.7.x Oct 20, 2021
@jgrandja jgrandja mentioned this issue Nov 25, 2021
Closed
@jgrandja jgrandja modified the milestones: 5.7.x, 5.7.0-M1 Dec 2, 2021
@sjohnr sjohnr modified the milestones: 5.7.0-M1, 5.7.0-M2 Jan 14, 2022
@marcusdacoregio marcusdacoregio modified the milestones: 5.7.0-M2, 5.7.0-M3 Feb 21, 2022
@jgrandja jgrandja mentioned this issue Feb 22, 2022
Closed
@jgrandja jgrandja assigned sjohnr and unassigned jgrandja Mar 11, 2022
@jgrandja
Copy link
Contributor

@sjohnr This is what I'm thinking for the customization hook:

public final class NimbusJwtClientAuthenticationParametersConverter<T extends AbstractOAuth2AuthorizationGrantRequest>
		implements Converter<T, MultiValueMap<String, String>> {

...

	public void setJwtClientAssertionCustomizer(Consumer<JwtClientAuthenticationContext<T>> jwtClientAssertionCustomizer) {

	}

	public static final class JwtClientAuthenticationContext<T> {

		T getAuthorizationGrantRequest() {

		}

		JwsHeader.Builder getHeaders() {

		}

		JwtClaimsSet.Builder getClaims() {

		}

	}

...

Use this as a starting point and see how it turns out. Thanks!

@sjohnr sjohnr mentioned this issue Mar 15, 2022
Merged
sjohnr added a commit to sjohnr/spring-security that referenced this issue Mar 16, 2022
@sjohnr
Add support for customizing claims in JWT Client Assertion
54a8b3a 
Closes spring-projectsgh-9855
sjohnr added a commit that referenced this issue Mar 17, 2022
@sjohnr
Add support for customizing claims in JWT Client Assertion
428216b 
Closes gh-9855
sjohnr added a commit that referenced this issue Mar 17, 2022
@sjohnr
Add support for customizing claims in JWT Client Assertion
f0168c6 
Closes gh-9855
@jgrandja
Copy link
Contributor

@christophejan @marcerik @iamlothian @chenrujun

We just merged support for customizing headers/claims in the JWT Client Assertion in gh-10972.
Please give it a try when you have a chance and any feedback would be greatly appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.7.0-M3
Development

Successfully merging a pull request may close this issue.

Add support for customizing claims in JWT Client Assertion sjohnr/spring-security
4 participants
@sjohnr @jgrandja @marcusdacoregio @christophejan