search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.71k stars 5.87k forks source link

Support jwt in introspection response #15467

Open CrazyParanoid opened 1 month ago

CrazyParanoid commented 1 month ago

It would be nice to provide support for phantom tokens. Many IDPs already have this feature, for example keycloak or curity. The main idea is that when introspect is called, jwt is returned in response. For example, as in keycloak:

{
  "jwt": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJLb3BHYmVaeFdHSWJ6N2NVbDQzRFNqLXRIS1d5aklpSFB3LTB2bGNpTTJRIn0.eyJleHAiOjE3MTY1NTgzMDYsImlhdCI6MTcxNjU1ODAwNiwiYXV0aF90aW1lIjoxNzE2NTU4MDA2LCJqdGkiOiI2MGNlZjcyNC01Njk4LTRmYzQtODEwMC02ZWVjYmY4ZjdhZGQiLCJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo4NTQzL2F1dGgvcmVhbG1zL3Rlc3QiLCJhdWQiOlsiYWNjb3VudC1jb25zb2xlIiwiYWNjb3VudCJdLCJzdWIiOiIyNDRlNmM1Mi0yMDRlLTM3NmEtOTkxOS1iYjgwODA4ZjE5MmMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJ0ZXN0LWFwcCIsInNpZCI6Ijg4NWMzYjVhLWIyMzUtNGViZS1iZTBjLTlmOTdlNzIwOTFlOCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MTgwIiwiaHR0cHM6Ly9sb2NhbGhvc3Q6ODU0MyJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsibmV3LXJvbGUiLCJoYXJkY29kZWQtcm9sZSIsIm9mZmxpbmVfYWNjZXNzIiwiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJ0ZXN0LWFwcCI6eyJyb2xlcyI6WyJjdXN0b21lci11c2VyIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBhZGRyZXNzIGVtYWlsIHByb2ZpbGUiLCJ1c2VyLXNlc3Npb24tbm90ZSI6IjE3MTY1NTgwMDYiLCJ0ZXN0LWNsYWltIjoidGVzdC12YWx1ZSIsImFkZHJlc3MiOnsic3RyZWV0X2FkZHJlc3MiOiIxIE15IFN0cmVldCIsImxvY2FsaXR5IjoiQ2FyZGlmZiIsInJlZ2lvbiI6IkNhcmRpZmYiLCJwb3N0YWxfY29kZSI6IkNGMTA0UkEifSwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJncm91cC1uYW1lIjpbImxldmVsMmdyb3VwIl0sIm5hbWUiOiJUb20gQnJhZHkiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0ZXN0LXVzZXJAbG9jYWxob3N0Iiwic2Vzc2lvbl9zdGF0ZSI6Ijg4NWMzYjVhLWIyMzUtNGViZS1iZTBjLTlmOTdlNzIwOTFlOCIsImdpdmVuX25hbWUiOiJUb20iLCJmYW1pbHlfbmFtZSI6IkJyYWR5IiwiZW1haWwiOiJ0ZXN0LXVzZXJAbG9jYWxob3N0In0.yiAScO2FDFeRXaYtRBjRuB5Y2pUZVg4dg6J41WL7mKHa3B_Zp1gshGx1W06fQQdFjlAWnz__QiKTqBwznf_ENxmTNP1Cl8e5h3Tv9fnxBWOVrpyCnKiEP1--va8JkFnwuN4x_JXCk_RLasNVK0CK4fm566WaiIstD2JM3-zoM8qzQFipY7EqFwaBZ1SYwIZnZxzKL_F8e6VVk3PnRHJBr0WYWo1uK889DBPZABjxzJlEs5IBeVYATCAwJBqYoPNeB-VPhN9JEFZWjlbBqVDhvw10KRs9JflJPn8IiJGM9zMUl-l5LZrm4pAGG4eC_unwY0ewg9gWI6hgxRNjRzLHMQ"
}

Apparently this is very similar to JWT Response for OAuth Token Introspection

jzheaux commented 1 month ago

I think there could be merit in implementing that spec once it is finalized. I'll leave this ticket open for the time being to see how it evolves.

jzheaux commented 1 month ago

In the meantime, I think this would be a good fit for a Spring Security sample. Would you be interested in contributing to https://github.com/spring-projects/spring-security-samples/issues/295?