Open DuncanCasteleyn opened 12 months ago
Netyyyy
commented
11 months ago @DuncanCasteleyn , thanks for reaching out. We have received your submission and will put it into the backlog. Please feel free to provide any additional information or context that you think may be helpful. Thank you for your contribution to improving our project.
saragluna
commented
11 months ago @DuncanCasteleyn Thanks for reaching out. I'd like to learn more about the Microsoft Entra scenario you described. So the main use case is to perform OAuth 2.0 authentication via client certificate, and you would like to get the certificate from the SslBundle. But the whole OAuth operations have been taken care by the Spring Security framework, which means it doesn't require you to write code to handle the certificate retrieved from the sslbundle. And still, you need to provide some extra property to configure the SslBundle, like the certificate path or the jks? So what's the benefit here using sslbundle? If we still need to point to the certificate?
DuncanCasteleyn
commented
11 months ago Hi @saragluna
The information of why is in the blogpost I have provided, but to put it simple Spring Boot now provides an interfaces that allows you to load a certificate and get it in whatever format you might need to quote the blogpost:
Some want you to provide keystore and truststore java.security.KeyStore instances. Some want you to provide javax.net.ssl.KeyManager and javax.net.ssl.TrustManager instances. Some want you to provide a javax.net.ssl.SSLContext instance.
Additionally if I want to use the certificate for something else as well, this would be possible without have load the certificate more than once and having to configure it more than once, I can instead use the alias to refer to it.
It might also be useful for other components in the SDK that support certificates, essentially Microsoft no longer needs to maintain code to load the certificate and can rely on the logic provided by Spring
saragluna
commented
11 months ago Thanks @DuncanCasteleyn, to reuse the certificate in users' code would be an ideal scenario. But I don't think the SDK can leverage the SSL Bundle, because the SDK is developed on the Java level, while Spring is on top of that. The feature is in our backlog, pelease stay tuned.
Hakky54
commented
6 months ago Hi guys, jumping into this discussion. I noticed this topic and I thought it might be usefull to share my library here as it might be useful for this usecase, but I it is up to @saragluna and his team to maybe consider this option. I created sslcontext-kickstart which can easily create a sslcontext, keymanager, trustmanager from JKS, P12, DER (binary certificate), PEM (base64 encoded), P7b etc from the filesystem, classpath, inputstream etc for configuring http clients and servers
Is your feature request related to a problem? Please describe. Since Spring Boot 3.1 it's possible to use SSL bundles in both PKCS12 and PEM format to reduce duplicate certificates from being loaded and ease configuration of certificates. It could additionally add support for PEM formatted certificates.
Describe the solution you'd like I would like to be able to use Spring SSL bundles to configure. by example Spring Boot Starter for Microsoft Entra Instead of using spring.cloud.azure.active-directory.credential.client-certificate-path i'd like a property like spring.cloud.azure.active-directory.credential.certificate-bundle-alias that allows me to use the certificate bundle I configured with Spring Boot.
Describe alternatives you've considered N/A
Additional context https://spring.io/blog/2023/06/07/securing-spring-boot-applications-with-ssl
Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report