Add TokenStore supporting JWT verification using JWK

spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.

http://github.com/spring-projects/spring-security-oauth

Apache License 2.0

4.69k stars 4.04k forks source link

Add TokenStore supporting JWT verification using JWK #977

Closed jgrandja closed 7 years ago

jgrandja commented 7 years ago

It would be very useful to have a TokenStore implementation that verifies a JWT using a JSON Web Key (JWK).

The main goal of this implementation would be to verify a JWT using the corresponding JWK. The JWK used for verification is matched using the kid header parameter of the JWT and the kid attribute of the JWK.

The implementation would be responsible for fetching the JWK Set (the set of available JSON Web Key's) from the supplied URL.

Related Specifications

JSON Web Token (JWT)

JSON Web Key (JWK)

JSON Web Signature (JWS)

JSON Web Encryption (JWE)

JSON Web Algorithms (JWA)

yelhouti commented 7 years ago

Thanks for the great work, could we have something like: jwks-uri in the application.yml/properties that create the store authomaticaly. this should be the default way for validating id_token. othere fields are now mendatory in the .yml we shoudl have the choice between them and this. thanks

jgrandja commented 7 years ago

@yelhouti This question should be posted in the Spring Boot GitHub as it's related to custom configuration properties in application.yml.

On that note, Spring Boot 1.5.2 has added a new configuration property related to this issue

security.oauth2.resource.jwk.key-set-uri: [URL to JWK Set]

You mentioned the following...

this should be the default way for validating id_token

Please note that Spring Security OAuth currently does not provide support for OpenID Connect so there is no validation/verification of id_token.

We are currently working on a re-write of OAuth and integrating it into Spring Security proper and it will provide support for OpenID Connect. You can track the issue here

yelhouti commented 7 years ago

Indeed I forgot to update spring boot in gradle.properties: springBootVersion = '1.5.2.RELEASE' Good luck for the re-write, you might want to have a look a this repo: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server Hope it helps or you already know it. thanks and keep up the good work.

jgrandja commented 7 years ago

Thanks @yelhouti. Yes, I have already looked at MITREid Connect.