Support RFC9449 - DPoP Authentication scheme

spring-projects / spring-security

Spring Security

http://spring.io/projects/spring-security

Apache License 2.0

8.82k stars 5.9k forks source link

Support RFC9449 - DPoP Authentication scheme #14915

Open babisRoutis opened 7 months ago

babisRoutis commented 7 months ago

RFC9449 introduces a way to constraint tokens (access_token, refresh_token) to a client provided pub key.

For a resource server (implemented using spring security) it would be really useful to implement in addition to bearer authentication the DPoP Authentication scheme

Note: Nimbus contains already support for producing DPoP JWT(s) & validating them

sjohnr commented 4 days ago

Thanks for opening this @babisRoutis. I am marking this for consideration in a future release.

babisRoutis commented 3 days ago

Thanks for opening this @babisRoutis. I am marking this for consideration in a future release.

Hi @sjohnr happy to hear that this is for consideration.

With regards to DPoP there are two features that you can consider:

Support DPoP Authentication Scheme in Spring Authorization Server.
Support DPoP scheme in a Protected Resource (that uses spring security). Typically, this includes checking the DPoP Access token using the introspection endpoint of the authorization server, verifying the DPoP JWT (from the Http header) and finally checking that the htu claim corresponds to a spring route.

sjohnr commented 3 days ago

Thanks @babisRoutis.

Support DPoP Authentication Scheme in Spring Authorization Server.

For that, please feel free to open an issue over there since this issue tracker is just for the Spring Security side.

ThomasKasene commented 2 days ago

I'd say this issue should also include DPoP support for the OAuth2 clients out there 😄

In fact, I'm struggling with implementing this right now, and I'm being stopped dead in my tracks due to the strictness of Spring Security. Would it be possible to introduce a new constant in OAuth2AccessToken.TokenType as a kind of initial support? 🙏

public static final TokenType BEARER = new TokenType("Bearer");
public static final TokenType DPOP = new TokenType("DPoP");     // new

I can't make this in my own code because the constructor is private, and I need it to create a new OAuth2AccessTokenResponseConverter that can handle a token_type of DPoP in the token response (see RFC 9449).

sjohnr commented 2 days ago

@ThomasKasene thanks for the input.

Would it be possible to introduce a new constant in OAuth2AccessToken.TokenType as a kind of initial support? 🙏

Absolutely, that makes sense to me. Would you be interested in opening a PR for this? If so, make sure to reference this issue in the commit comment as "Issue gh-14915".

I think it also makes sense to open an issue to consider making the constructor public. I'll do that now.

ThomasKasene commented 2 days ago

Would you be interested in opening a PR for this?

Done via gh-16087 😄

jgrandja commented 2 days ago

@babisRoutis I added spring-authorization-server#1813