Skip to content

Replace OidcTokenValidator with OAuth2TokenValidator implementation #5930

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jgrandja opened this issue Oct 9, 2018 · 1 comment
Closed

Replace OidcTokenValidator with OAuth2TokenValidator implementation #5930

jgrandja opened this issue Oct 9, 2018 · 1 comment
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.2.0.M1

Comments

@jgrandja
Copy link
Contributor

jgrandja commented Oct 9, 2018

We should extract the logic in OidcTokenValidator.validateIdToken() into a new implementation of OAuth2TokenValidator named OidcIdTokenValidator.

The OidcIdTokenValidator instance would than be composed in the required JwtDecoder, for example, NimbusJwtDecoderJwkSupport and NimbusReactiveJwtDecoder.

The classes that would need to be changed are OidcAuthorizationCodeAuthenticationProvider and OidcAuthorizationCodeReactiveAuthenticationManager.

We should also consider exposing OidcIdTokenValidator.setIssuedAtSkew(Duration issuedAtSkew) that would allow for a configurable maxIssuedAt, which is currently hard-coded at 30 secs.
@jgrandja jgrandja added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) OIDC labels Oct 9, 2018
@jgrandja jgrandja added this to the 5.2 milestone Oct 9, 2018
@jgrandja jgrandja mentioned this issue Oct 9, 2018
Closed
@jgrandja jgrandja modified the milestones: 5.2.0, 5.2.x Oct 19, 2018
@jgrandja jgrandja modified the milestones: 5.2.x, 5.2.0.M1 Oct 30, 2018
@gburboz
Copy link

gburboz commented Nov 20, 2018

Instead of maxIssuedAt consider naming it maxIssuedWithin.

Also for expiresAt we need to add configurable clock skew per provider/client which should also be added to above value during check.

@jgrandja jgrandja self-assigned this Dec 13, 2018
jgrandja added a commit to jgrandja/spring-security that referenced this issue Dec 17, 2018
@jgrandja
Extract OidcTokenValidator to an OAuth2TokenValidator
09a489c 
Fixes spring-projectsgh-5930
@jgrandja jgrandja mentioned this issue Dec 17, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0.M1
Development

No branches or pull requests
2 participants
@gburboz @jgrandja