Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How-to: Override default algorithm used to sign Jwt #1030

Open
sapradhan opened this issue Jan 2, 2023 · 6 comments
Open

How-to: Override default algorithm used to sign Jwt #1030

sapradhan opened this issue Jan 2, 2023 · 6 comments
Labels
type: documentation A documentation update

Comments

@sapradhan
Copy link

Expected Behavior
One should be able to choose Signature Algorithm used to sign access tokens.

Current Behavior
No configuration parameter exists in TokenSettings to choose signature algo for access token. It is hard coded as RS256 while generating Jwt.

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/JwtGenerator.java

Lines 93 to 102 in aed93f3

JwsAlgorithm jwsAlgorithm = SignatureAlgorithm.RS256;
if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) {
// TODO Allow configuration for ID Token time-to-live
expiresAt = issuedAt.plus(30, ChronoUnit.MINUTES);
if (registeredClient.getTokenSettings().getIdTokenSignatureAlgorithm() != null) {
jwsAlgorithm = registeredClient.getTokenSettings().getIdTokenSignatureAlgorithm();
}
} else {
expiresAt = issuedAt.plus(registeredClient.getTokenSettings().getAccessTokenTimeToLive());
}

Context
Because of this, cannot choose another algorithm like HSxxx or EDxxx for access tokens.
TokenSettings does allow to configuring signing algo for Id Token using idTokenSignatureAlgorithm(SignatureAlgorithm idTokenSignatureAlgorithm) method in the Builder.
@sapradhan sapradhan added the type: enhancement A general enhancement label Jan 2, 2023
sapradhan added a commit to sapradhan/spring-authorization-server that referenced this issue Jan 2, 2023
@sapradhan
attempt to fix spring-projects#1030
7883e87 
add accessTokenSignatureAlgorithm to TokenSettings to allow configuring Signature algo for access tokens
@jgrandja
Copy link
Collaborator

jgrandja commented Jan 3, 2023
edited
Loading

@sapradhan

One should be able to choose Signature Algorithm used to sign access tokens.

Not all access tokens are signed. This only applies to OAuth2TokenFormat.SELF_CONTAINED access tokens, e.g. Jwt.

However, some clients may be configured for opaque tokens (OAuth2TokenFormat.REFERENCE), and therefore the proposed TokenSettings.accessTokenSignatureAlgorithm would be redundant. Furthermore, there are no specifications that define a default algorithm for access tokens so I'm reluctant on adding this enhancement since there is no standard defined.

Because of this, cannot choose another algorithm like HSxxx or EDxxx for access tokens.

You can override the default algorithm by configuring an OAuth2TokenCustomizer @Bean:

@Bean
OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
	return context -> {
		if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
			context.getJwsHeader().algorithm(MacAlgorithm.HS512);
		}
	};
}

This should work for your configuration.

@jgrandja jgrandja added the status: waiting-for-feedback We need additional information before we can continue label Jan 3, 2023
@sapradhan
Copy link
Author

@jgrandja Thank you for the explanation, with that I am in agreement with your view on not having JWT specific setting on access token settings in general.

I also tried out your suggestion and it works for my use case. However this was not obvious to me, as a specific algorithm setting is exists for idToken. Should we have a how-to for this use case somewhere? (please let me know if one exists already)

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jan 5, 2023
@jgrandja
Copy link
Collaborator

jgrandja commented Jan 6, 2023

@sapradhan

Should we have a how-to for this use case somewhere?

Yes, this question will come up again so we'll document it in the reference. I changed the subject of the issue.

I'll close the associated PR and we'll address this soon in the reference manual.

@jgrandja jgrandja changed the title Allow to specify Signature algorithm for access token How-to: Override default algorithm used to sign Jwt Jan 6, 2023
@jgrandja jgrandja removed the status: feedback-provided Feedback has been provided label Jan 6, 2023
@jgrandja jgrandja mentioned this issue Jan 6, 2023
Closed
@jgrandja jgrandja added type: documentation A documentation update and removed type: enhancement A general enhancement labels May 27, 2023
@TelmaCorreia
Copy link

TelmaCorreia commented Feb 9, 2024
edited
Loading

👋 @jgrandja I also want to use ES256 but the solution proposed above is not working for me. I did some debugging and I noticed that RS256 is also hardcoded here and then jwt encoding is always using RS256.

Am I missing something?

@sapradhan
Copy link
Author

@TelmaCorreia if you follow the discussion above, this is by design. Access token does not have to be a JWT and thus it does not make sense to put a JWT signing algorithm in access token setting. Did you try setting up a token customizer and change algorithm to your preference -

@Bean
OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
	return context -> {
		if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
			context.getJwsHeader().algorithm(SignatureAlgorithm.ES256);
		}
	};
}

You may also have to setup a EC256 compatible JWKSource

@chenzhenjia
Copy link

Clear the default idToken algorithm and add all algorithms supported by jwk

new OAuth2AuthorizationServerConfigurer().oidc(oidc -> {
        oidc.providerConfigurationEndpoint(providerConfigurationEndpoint -> {
          List<String> jwkAlgs = applicationContext.getBeanProvider(JWK.class).orderedStream()
              .map(JWK::getAlgorithm).map(Algorithm::getName).toList();
          providerConfigurationEndpoint.providerConfigurationCustomizer(builder -> {
            builder.idTokenSigningAlgorithms(algs -> {
              algs.clear();
              algs.addAll(jwkAlgs);
            });
          });
        });
      })

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: documentation A documentation update
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sapradhan @jgrandja @chenzhenjia @spring-projects-issues @TelmaCorreia