Skip to content

Enable a way to configure different JWK kids for each clientId #1004

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
pauloapf opened this issue Dec 14, 2022 · 1 comment
Closed

Enable a way to configure different JWK kids for each clientId #1004

pauloapf opened this issue Dec 14, 2022 · 1 comment
Assignees
@jgrandja
Labels
status: declined A suggestion or change that we don't feel we should currently apply

Comments

@pauloapf
Copy link

Current Behavior

When a try to configure two JWKs entries with different kids and different private/public key the Spring Oauth2 Authorization server works okay and returns then in the http://[]/oauth2/token endpoint.

When I try to do a client credentials (POST http://[]/oauth2/token I got the error below. This error seems to be right, since the authorization server does not know which kid should use for the client is requesting the token.

org.springframework.security.oauth2.jwt.JwtEncodingException: An error occurred while attempting to encode the Jwt: Found multiple JWK signing keys for algorithm 'RS256'
    at org.springframework.security.oauth2.jwt.NimbusJwtEncoder.selectJwk(NimbusJwtEncoder.java:128) ~[spring-security-oauth2-jose-6.0.0.jar:6.0.0]
    at org.springframework.security.oauth2.jwt.NimbusJwtEncoder.encode(NimbusJwtEncoder.java:108) ~[spring-security-oauth2-jose-6.0.0.jar:6.0.0]
    at org.springframework.security.oauth2.server.authorization.token.JwtGenerator.generate(JwtGenerator.java:159) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
    at org.springframework.security.oauth2.server.authorization.token.JwtGenerator.generate(JwtGenerator.java:58) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
    at org.springframework.security.oauth2.server.authorization.token.DelegatingOAuth2TokenGenerator.generate(DelegatingOAuth2TokenGenerator.java:59) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
    at org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationProvider.authenticate(OAuth2ClientCredentialsAuthenticationProvider.java:125) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-6.0.0.jar:6.0.0]
    at org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter.doFilterInternal(OAuth2TokenEndpointFilter.java:167) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]

My Code:

	@Bean
	public JWKSet jwkSet(AuthProperties authProperties) throws Exception {
		List<JWK> keys = new ArrayList<>();

		for (JksProperties jwk : authProperties.getJksList()) {
			keys.add(loadRsa(jwk));
			break;
		}

		return new JWKSet(keys);
	}

	@Bean
	public JWKSource<SecurityContext> jwkSource(JWKSet jwkSet) {

		return ((jwkSelector, securityContext) -> jwkSelector.select(jwkSet));
	}

	@Bean
	public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
		return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
	}

Expected Behavior

The solution I found was to create to instance of the authorization server, so each of the instances can have its own kid and public and private key.

It would be nice (maybe it exists and I don't know) to have a way to configure the same authorization server have multiple JWKs to be used for different clients.

Context

I have a requirement to sign two different JWK token, for each one I should use a different kid/public/private keys. This kids also should be returned in the same JWKS endpoint.

The workaround/alternative I'm thinking is to run two different instances of the authorization server.
@pauloapf pauloapf added the type: enhancement A general enhancement label Dec 14, 2022
@jgrandja
Copy link
Collaborator

Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

NOTE: Spring Authorization Server only requires a JWKSource<SecurityContext> @Bean to provide the keys and is not concerned with the internal behaviours of the JWKSource<SecurityContext>, for example, key rotation or active/passive key lists. Key rotation can be implemented in many different ways and the source of the keys can be provided/stored in many different key storage systems. This is not a concern for this project and would not be a feature built into the framework. This concern is the responsibility of the consuming application to implement.

Related gh-544

@jgrandja jgrandja self-assigned this Dec 15, 2022
@jgrandja jgrandja added for: stackoverflow A question that's better suited to stackoverflow.com status: declined A suggestion or change that we don't feel we should currently apply and removed type: enhancement A general enhancement for: stackoverflow A question that's better suited to stackoverflow.com labels Dec 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: declined A suggestion or change that we don't feel we should currently apply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jgrandja @pauloapf