Closed jgrandja closed 7 years ago
Thanks for the great work, could we have something like: jwks-uri in the application.yml/properties that create the store authomaticaly. this should be the default way for validating id_token. othere fields are now mendatory in the .yml we shoudl have the choice between them and this. thanks
@yelhouti This question should be posted in the Spring Boot GitHub as it's related to custom configuration properties in application.yml.
On that note, Spring Boot 1.5.2 has added a new configuration property related to this issue
security.oauth2.resource.jwk.key-set-uri: [URL to JWK Set]
You mentioned the following...
this should be the default way for validating id_token
Please note that Spring Security OAuth currently does not provide support for OpenID Connect so there is no validation/verification of id_token
.
We are currently working on a re-write of OAuth and integrating it into Spring Security proper and it will provide support for OpenID Connect. You can track the issue here
Indeed I forgot to update spring boot in gradle.properties: springBootVersion = '1.5.2.RELEASE' Good luck for the re-write, you might want to have a look a this repo: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server Hope it helps or you already know it. thanks and keep up the good work.
Thanks @yelhouti. Yes, I have already looked at MITREid Connect.
It would be very useful to have a
TokenStore
implementation that verifies a JWT using a JSON Web Key (JWK).The main goal of this implementation would be to verify a JWT using the corresponding JWK. The JWK used for verification is matched using the
kid
header parameter of the JWT and thekid
attribute of the JWK.The implementation would be responsible for fetching the JWK Set (the set of available JSON Web Key's) from the supplied URL.
Related Specifications
JSON Web Token (JWT)
JSON Web Key (JWK)
JSON Web Signature (JWS)
JSON Web Encryption (JWE)
JSON Web Algorithms (JWA)