Validate the aud claim in OAuth2 resource server

[chenrujun]

Background

According to this doc, resource-server must validate iss and aud.

Current situation

iss

1. Congiguration: Now iss will be configured by spring.security.oauth2.resourceserver.jwt.issuer-uri,
2. Validation logic:
   

   spring-boot/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java

   Lines 68 to 76 in 30c2727

   	JwtDecoder jwtDecoderByJwkKeySetUri() {
   	NimbusJwtDecoder nimbusJwtDecoder = NimbusJwtDecoder.withJwkSetUri(this.properties.getJwkSetUri())
   	.jwsAlgorithm(SignatureAlgorithm.from(this.properties.getJwsAlgorithm())).build();
   	String issuerUri = this.properties.getIssuerUri();
   	if (issuerUri != null) {
   	nimbusJwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuerUri));
   	}
   	return nimbusJwtDecoder;
   	}

aud

No related logic

Requirement

Just like iss, we should validate aud. And add a property like spring.security.oauth2.resourceserver.jwt.audience.

[mbhave]

There was some discussion in a Spring Security issue around this. I think given that audience validation is common for resource servers, adding a property for it would be a good enhancement. We could then change the auto-configuration to use

new DelegatingOAuth2TokenValidator<>(
        JwtValidators.createDefaultWithIsssuer(issuer),
        new JwtClaimValidator(AUD, aud -> aud != null && aud.contains(properties.getAudience())));

However, if it is similar to other JWT claims (as mentioned in the linked comment), instead of adding properties for all, it might be better if we allowed users to specify a bean of type OAuth2TokenValidator that the auto-configuration could then use. By default, the auto-configuration would use JwtValidators.createDefaultWithIsssuer(issuer) as it does today.

@jzheaux What are your thoughts?

[chenrujun]

@mbhave

Thank you for your response.

if it is similar to other JWT claims (as mentioned in the linked comment)

The claims we need to verify in application level is iss, nbf, exp, aud.
Refs: https://auth0.com/docs/security/tokens/access-tokens/validate-access-tokens

The scp validation is not on the application level, it's on method / endpoint level.

So only aud need to add property, no need for other JWT claims.

[cselagea]

According to this doc, resource-server must validate iss and aud.

That draft has become RFC 9068, which is a Proposed Standard.

[chenrujun]

Hi, @cselagea .

Thank you for your information.

That draft has become RFC 9068, which is a Proposed Standard.

Here is my current understanding:

1. spring-security framework should not implement draft.
2. spring-security framework should implement Proposed Standard.

Correct me if my understanding is wrong.

[cselagea]

Hey @chenrujun, I was just sharing the most up-to-date document. I can't say what Spring Security should or shouldn't do.

[chenrujun]

@cselagea

Got it. Thank you for your sharing.

[ahmedmq]

Hey @mbhave - Can I work on this issue please?

[mbhave]

@ahmedmq Sure, it's all yours. Please let us know if you need any help.

[chenrujun]

Hi, @ahmedmq .
Thank you for your support.
Could you please tell me the ETA and supported Spring Boot version?