Support JWT as an Authorization Grant for client #6053
Comments
jgrandja
added
New Feature
in: oauth2
|
Would be great have this feature targeting next milestone. |
|
@gandrade We've been working hard on the upcoming 5.2.0 release (scheduled Sep 19), and it's looking like I won't be able to get to this feature in time. There have been quite a few other priority items that I've been working on. It would likely be faster if someone from the community can provide a PR for this feature. Although this is not a trivial feature to implement, it would have a very similar implementation as #7013. Would you be interested in submitting a PR for this feature? If not, I'll leave this up for someone in the community to pick up. |
jgrandja
added
the
status: ideal-for-contribution
|
Hi @jgrandja, if someone was available to support me in clarifying and reviewing the technical design for this feature, then I would like to work on it. I am already familiar with the OAuth 2.0 specs and work daily on security features for enterprise applications. But since it would be my first feature-size task on this project, I could use some guidance. |
|
@ThomasVitale Thanks for the offer! I actually have a POC in this sample. However, I think it would still be valuable to review the spec and the POC code to determine if there is any other work left to do. I believe it's pretty close to being done but there may be other work that needs to be completed. Let me know what you think? |
|
FYI, the OpenID Foundation Fast Federation Working Group is defining a standard that will require RFC 7523 support. Lack of this in Spring will slow development and adoption of this emerging standard. |
|
Thanks for the info @matt-domsch-sp. Would you happen to know which providers currently support RFC 7523? |
|
I'm aware of these uses in the wild:
Other participants in the FastFed WG include SailPoint, Microsoft, Google, AWS, Yahoo, ADP, Ping, Okta, so I would expect broader adoption through 2020 and 2021. |
@jgrandja Is my interpretation correct that this POC code only applies to the client side and there isn't any work on the authorization server token endpoint side? Is this ticket meant only for client support? TIA! |
|
@jason-leagueapps Yes, you are correct. This ticket addresses the client support only. I've updated the subject of this ticket to be more clear. |
jgrandja
changed the title
jgrandja
removed
the
status: ideal-for-contribution
|
Keycloak also supports this with either a fixed certificate or a JWK callback. |
|
Hi, |
|
@H-LREB Thank you for submitting the PR that integrates the code from the sample. I'm pretty back logged these days and I wasn't planning on getting this feature in for There are a few priority items that I'm working on and given that Having said that, the PR you submitted helps a lot. The other thing that would help a lot is to confirm that the implementation works for at least 3 well-known providers. This will give me a level of confidence to allow the merge. This is a crucial and necessary next step. Would you be able to help with this? Either way, I will do my best to get this in for |
|
@jgrandja Thank you for your fast reply. I totally understand that you guys have a lot to do and that the feature may not be ready in time for 5.5.0. Yes, I would love to help with the tests of the feature. Which OAuth2 providers you usually use? I can follow the same steps. |
I usually test with Keycloak, Okta and Curity. I think all 3 support jwt-bearer grant? You'll have to confirm if they do by looking at their reference doc. We should also ensure it works with Microsoft Azure. See OAuth 2.0 On-Behalf-Of flow |
|
I found the confirmation that Curity supports the jwt-bearer grant type. See "Assertion Flow" section in this document. I could not find the same confirmation for Okta and KeyCloak. It does not seem they support this grant type. As for Microsoft Azure, based on the request contents, I think we should be looking at the scenario "First case : Access token request with a shared secret". However, the Azure documentation describes a required parameter (in the request) which I do not see in the specification : May be it is worth mentioning that Okta seems to support the "Section 2.2 Using JWTs for client authentication" of the specification, according to this documentation. I'll try to find more information |
|
I tested the implementation with Curity and it works. However, I still cannot find any mention of the jwt-bearer grant type in Okta or KeyCloak documentation. I don't think those providers support this grant type. As for Azure, I'll try to find time to test it in the coming week, but I can't promise. If someone new to Curity, like myself, tries to test the implementation against this provider, they shouldn't be intimidated by the error message "invalid_grant". It does not mean the grant type |
|
Keycloak docs are here and it does support this grant type. On the server they support two possibilities
For the client (which you are interested in) they use this Keycloak provides their own spring-boot client (open source) which uses this the private_jwt auth mechanism. p.s. It would be nice if spring security supported the client credentials grant with JWT and not just the auth code grant. 😄 |
|
@mjeffrey Thank you for this information, However, I think you are referring to a different grant type. You are referring to the grant type If I understood correctly, the grant type |
This feature will partially implement JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants.
Section 2.1. Using JWTs as Authorization Grants will be the focus for this feature implementation.
One of the primary use cases for using a JWT as an authorization grant is to exchange it for another JWT (at the Token Endpoint) with narrowed
scope. This is useful when a service (a) wants to call another downstream service (b) with onlyscopethat service (b) understands (supports).NOTE: This ticket addresses client-side support only.
Related #5199 #8175
The text was updated successfully, but these errors were encountered: