Skip to content

Validate the aud claim in OAuth2 resource server #29084

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Validate the aud claim in OAuth2 resource server #29084

wants to merge 1 commit into from

Conversation

ahmedmq
Copy link

@ahmedmq ahmedmq commented Dec 16, 2021

Configure a new optional property for audience in resource server. Validate the audience claim in JWT if the audience property is provided.

Closes #28427

Validate the aud claim in OAuth2 resource server
7c2c991 
Provide JWT audience field  validation support, if the new optional audience property is supplied

Fixes spring-projectsgh-28427
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 16, 2021
@mbhave mbhave mentioned this pull request Dec 16, 2021
Closed
@mbhave mbhave added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 16, 2021
@mbhave mbhave added this to the 2.7.x milestone Dec 16, 2021
chenrujun
chenrujun reviewed Jan 7, 2022
View reviewed changes
...ingframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerProperties.java
/**
* Identifies the recipients that the JWT is intended for.
*/
private String audience;
Copy link
Contributor

@chenrujun chenrujun Jan 7, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider the spring-cloud-gateway scenario, I suggest to use List<String> instead of String.

client -> spring-cloud-gateway -> resource-server-1
                               -> resource-server-2
                               -> etc..

When spring-cloud-gateway validate the access-token, the valid audience is a list of string.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And rename variable from audience to audiences.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @chenrujun. This makes sense to me. The validation should then use a predicate that checks that at least one audience in the JWT matches one of the configured audiences. Does that makes sense to you, @mbhave?

@fstorz
Copy link

fstorz commented Mar 13, 2022

The changes in this PR only apply the audience validation if decoder is configured via "jwk-set-uri". Would it make sense to also provide this feature when decoder is configured via "issuer-uri"?

@snicoll snicoll requested a review from mbhave March 21, 2022 09:37
mbhave pushed a commit to mbhave/spring-boot that referenced this pull request Apr 21, 2022
@mbhave
Add support for aud claim in resource server
2186a3a 
See spring-projectsgh-29084
mbhave added a commit to mbhave/spring-boot that referenced this pull request Apr 21, 2022
@mbhave
Polish "Add support for aud claim in resource server"
9385171 
See spring-projectsgh-29084
snicoll pushed a commit that referenced this pull request Apr 21, 2022
@snicoll
Add support for aud claim in resource server
ee65627 
See gh-29084
snicoll pushed a commit that referenced this pull request Apr 21, 2022
@mbhave @snicoll
Polish "Add support for aud claim in resource server"
7a659e4 
See gh-29084
@snicoll snicoll closed this in de17878 Apr 21, 2022
@snicoll
Copy link
Member

snicoll commented Apr 21, 2022

@ahmedmq thank you for making your first contribution to Spring Boot.

@snicoll snicoll modified the milestones: 2.7.x, 2.7.0-RC1 Apr 21, 2022
@mrodal
Copy link

mrodal commented Apr 3, 2023

This feature is not mentioned in the docs, in fact audience validation is shown as an example for custom validators:

https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-validation-custom

This feature should be in the docs

@snicoll snicoll mentioned this pull request Apr 4, 2023
Closed
@snicoll
Copy link
Member

snicoll commented Apr 4, 2023

@mrodal thanks for the nudge. Going forward, rather than commenting on a closed PR, please create an issue to request a change in the documentation. I've done that in #34848.

@mrodal
Copy link

mrodal commented Apr 4, 2023

got it, thanks!

@jaredtbates jaredtbates mentioned this pull request Apr 13, 2023
Closed
@wilkinsona wilkinsona mentioned this pull request May 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wilkinsona wilkinsona wilkinsona left review comments

@chenrujun chenrujun chenrujun left review comments

@mbhave mbhave Awaiting requested review from mbhave

Assignees

@mbhave mbhave

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
2.7.0-RC1
Development

Successfully merging this pull request may close these issues.

Validate the aud claim in OAuth2 resource server
8 participants
@ahmedmq @fstorz @snicoll @mrodal @wilkinsona @chenrujun @mbhave @spring-projects-issues