search

spring-projects / spring-authorization-server

Spring Authorization Server
https://spring.io/projects/spring-authorization-server
Apache License 2.0
4.88k stars 1.3k forks source link

Add client-certificate when fetching client-jwks #1788

Open edwinrozendom opened 4 weeks ago

edwinrozendom commented 4 weeks ago

Expected Behavior

We would like to add a client-certificate to the outbound request when fetching a JwkSetUrl from a configured client.

Current Behavior

RestTemplate is a static final variable in JwtClientAssertionDecoderFactory.java. It would be nice to expose Resttemplate, in order to configure it with the authorizationServerConfigurer. (same suggestion as in #1413)

The exposed method could be used in the authorizationServerConfigurer.AuthenticationProvider, e.g.

authenticationProviders.forEach((authenticationProvider) -> {
            if (authenticationProvider instanceof JwtClientAssertionAuthenticationProvider) {
                // Customize JwtClientAssertionDecoderFactory
                JwtClientAssertionDecoderFactory jwtDecoderFactory = new JwtClientAssertionDecoderFactory();
                                jwtDecoderFactory.setRestTemplate(...).

}
}

Context

This issue only affects oAuth flows with private_key_jwt client authentication.

I would be able to create a PR if the suggestion of exposing RestTemplate is acceptable!

jgrandja commented 4 weeks ago

@edwinrozendom I'm not sure we want to expose JwtClientAssertionDecoderFactory.setRestTemplate(). I'll need to give this some further thought.

In the meantime, you can provide a custom JwtClientAssertionAuthenticationProvider.setJwtDecoderFactory() similar to JwtClientAssertionDecoderFactory but scaled down to only support jwk-set-url lookup.