Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support RFC9449 - DPoP Authentication scheme #14915

Open
babisRoutis opened this issue Apr 16, 2024 · 7 comments
Open

Support RFC9449 - DPoP Authentication scheme #14915

babisRoutis opened this issue Apr 16, 2024 · 7 comments
Assignees
@sjohnr
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement

Comments

@babisRoutis
Copy link

babisRoutis commented Apr 16, 2024
edited
Loading

RFC9449 introduces a way to constraint tokens (access_token, refresh_token) to a client provided pub key.

For a resource server (implemented using spring security) it would be really useful to implement in addition to bearer authentication the DPoP Authentication scheme

Note: Nimbus contains already support for producing DPoP JWT(s) & validating them
@babisRoutis babisRoutis added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Apr 16, 2024
@sjohnr sjohnr self-assigned this Nov 11, 2024
@sjohnr sjohnr added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 11, 2024
@sjohnr
Copy link
Member

sjohnr commented Nov 11, 2024

Thanks for opening this @babisRoutis. I am marking this for consideration in a future release.

@sjohnr sjohnr moved this to Planning in Spring Security Team Nov 11, 2024
@babisRoutis
Copy link
Author

Thanks for opening this @babisRoutis. I am marking this for consideration in a future release.

Hi @sjohnr happy to hear that this is for consideration.

With regards to DPoP there are two features that you can consider:

  • Support DPoP Authentication Scheme in Spring Authorization Server.
  • Support DPoP scheme in a Protected Resource (that uses spring security). Typically, this includes checking the DPoP Access token using the introspection endpoint of the authorization server, verifying the DPoP JWT (from the Http header) and finally checking that the htu claim corresponds to a spring route.

@sjohnr
Copy link
Member

sjohnr commented Nov 13, 2024

Thanks @babisRoutis.

Support DPoP Authentication Scheme in Spring Authorization Server.

For that, please feel free to open an issue over there since this issue tracker is just for the Spring Security side.

@ThomasKasene
Copy link

ThomasKasene commented Nov 13, 2024
edited
Loading

I'd say this issue should also include DPoP support for the OAuth2 clients out there 😄

In fact, I'm struggling with implementing this right now, and I'm being stopped dead in my tracks due to the strictness of Spring Security. Would it be possible to introduce a new constant in OAuth2AccessToken.TokenType as a kind of initial support? 🙏

public static final TokenType BEARER = new TokenType("Bearer");
public static final TokenType DPOP = new TokenType("DPoP");     // new

I can't make this in my own code because the constructor is private, and I need it to create a new OAuth2AccessTokenResponseConverter that can handle a token_type of DPoP in the token response (see RFC 9449).

@sjohnr
Copy link
Member

sjohnr commented Nov 13, 2024

@ThomasKasene thanks for the input.

Would it be possible to introduce a new constant in OAuth2AccessToken.TokenType as a kind of initial support? 🙏

Absolutely, that makes sense to me. Would you be interested in opening a PR for this? If so, make sure to reference this issue in the commit comment as "Issue gh-14915".

I think it also makes sense to open an issue to consider making the constructor public. I'll do that now.

@sjohnr sjohnr mentioned this issue Nov 13, 2024
Open
ThomasKasene added a commit to ThomasKasene/spring-security that referenced this issue Nov 13, 2024
@ThomasKasene
Added a constant for DPOP in OAuth2AccessToken.TokenType
7b759a2 
Issue spring-projectsgh-14915
@ThomasKasene ThomasKasene mentioned this issue Nov 13, 2024
Open
@ThomasKasene
Copy link

Would you be interested in opening a PR for this?

Done via gh-16087 😄

@jgrandja
Copy link
Contributor

@babisRoutis I added spring-authorization-server#1813

@ThomasKasene ThomasKasene mentioned this issue Nov 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
Spring Security Team
Status: Planning
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sjohnr @ThomasKasene @jgrandja @babisRoutis