Skip to content

Document audience support in OAuth2 resource server #35286

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 9 commits into from
Closed

Document audience support in OAuth2 resource server #35286

Changes from 3 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
b29aecb
Document Update audience support in Oauth2 resource server
bikash30851 May 4, 2023
9073f31
formatting update
bikash30851 May 4, 2023
ea6ea3d
Merge branch 'spring-projects:main' into doc-aud-auth-issue#34848
bikash30851 May 7, 2023
b0b9b85
Update spring-security.adoc
bikash30851 May 9, 2023
50773dc
Update configprop: syntax
bikash30851 May 9, 2023
85807c0
Update spring-security.adoc
bikash30851 May 10, 2023
47d21a5
Configprop syntax update spring-security.adoc
bikash30851 May 10, 2023
52a65d4
Merge branch 'spring-projects:main' into doc-aud-auth-issue#34848
bikash30851 May 10, 2023
18a3489
configprop syntax update
bikash30851 May 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -224,6 +224,37 @@ Again, the same properties are applicable for both servlet and reactive applicat
Alternatively, you can define your own `OpaqueTokenIntrospector` bean for servlet applications or a `ReactiveOpaqueTokenIntrospector` for reactive applications.


=== Audience Validation Support in OAuth2 Resource Server

The OAuth2 resource server now supports validating audience (aud) claims in JSON Web Tokens (JWTs) issued by an authorization server.
This feature is added to complement the existing validation of issuer (iss) claims.

To enable audience validation, set the spring.security.oauth2.resourceserver.jwt.audience property in your Spring Boot application
configuration file. This property specifies the expected value(s) of the aud claim in JWTs.

For example, to expect the JWTs to contain an aud claim with the value my-audience, you can add the following line to your
application.properties file:

[source,properties]
spring.security.oauth2.resourceserver.jwt.audience=my-audience

When the resource server receives a JWT, it will now validate that the aud claim is present and contains the expected value(s).
If the validation fails, the request will be rejected with an HTTP 401 Unauthorized response.

The following code changes have been made to add audience validation support:

[source,java]
JwtClaimValidator<List<String>> validator = new JwtClaimValidator<List<String>>(JwtClaimNames.AUD,
(aud) -> aud != null && aud.contains(audience));
validators.add(validator);
nimbusrJwtDecoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(validators));

These changes add a new JwtClaimValidator that checks the aud claim of the JWT against the expected audience value(s).
If the aud claim is present and contains any of the expected values, the validation succeeds. Otherwise, it fails.

In summary, the addition of audience validation support allows OAuth2 resource server to verify that the JWTs it receives
were intended for consumption by itself or its specified audience.


[[web.security.oauth2.authorization-server]]
==== Authorization Server
Expand Down