Skip to content

Support auto-configuration of JwkSet Uri #5523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jgrandja opened this issue Jul 16, 2018 · 4 comments
Closed

Support auto-configuration of JwkSet Uri #5523

jgrandja opened this issue Jul 16, 2018 · 4 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.1.0.RC1

Comments

@jgrandja
Copy link
Contributor

jgrandja commented Jul 16, 2018
edited
Loading

We should provide support for auto-configuration of the JwkSet Uri via the supplied issuer claim that can be used to discover Provider Metadata via OpenID Connect Discovery. The Provider Metadata contains the jwks_uri attribute which would be used to supply the JwtDecoder.
@jgrandja jgrandja added New Feature in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels Jul 16, 2018
@jgrandja jgrandja added this to the 5.1.0.M2 milestone Jul 16, 2018
@jgrandja
Copy link
Contributor Author

After this feature has been merged, we need to log a ticket with the Boot team to support the issuer configuration property.

@jgrandja jgrandja mentioned this issue Jul 19, 2018
Closed
@jgrandja jgrandja modified the milestones: 5.1.0.M2, 5.1.0.RC1 Jul 25, 2018
@jgrandja
Copy link
Contributor Author

@jzheaux As far as approach on implementing this feature, @rwinch and I spoke and agree that it should be implemented similar to how OidcConfigurationProvider.issuer() is implemented for ClientRegistration metadata discovery.

For example:
JwtDecoder OidcConfigurationProvider.issuer()

The returned JwtDecoder would be configured with the jwks_uri from the discovered Provider Configuration and than supplied to resourceServer().jwt().decoder(jwtDecoder).

NOTE: We may have to re-factor the existing OidcConfigurationProvider to support both configurations of ClientRegistration and JwtDecoder. However, we're also debating on keeping these in separate classes - client and resource server specific configs. It's difficult to tell at this point until the work get's started so any suggestions you have let's start that dialogue in a PR.

@rwinch
Copy link
Member

rwinch commented Jul 26, 2018

and than supplied to resourceServer().jwt().decoder(jwtDecoder).

Spring Security would not configure on the DSL. User's (and Boot) could create a JwtDecoder Bean using the factory and then it would be used by the DSL by default. Alternatively, user's would be able to explicitly inject it via the decoder(..) method

@jgrandja
Copy link
Contributor Author

Related #5584

@jzheaux jzheaux self-assigned this Aug 1, 2018
@jzheaux jzheaux mentioned this issue Aug 1, 2018
Closed
@jzheaux jzheaux mentioned this issue Aug 7, 2018
Closed
jzheaux added a commit to jzheaux/spring-security that referenced this issue Aug 16, 2018
@jzheaux
Auto-configure JwtDecoder via OpenId Configuration
0e0992e 
Adding JwtDecoders#fromOidcIssuerLocation which takes an issuer
and derives from it the jwk set uri via a call to
.well-known/openid-configuration

Fixes: spring-projectsgh-5523
@rwinch rwinch closed this as completed in 2e620a2 Aug 17, 2018
@rwinch rwinch added the type: enhancement A general enhancement label May 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.1.0.RC1
Development

Successfully merging a pull request may close this issue.

Auto-configure JwtDecoder via OpenId Configuration jzheaux/spring-security
3 participants
@rwinch @jzheaux @jgrandja