Skip to content

Client JwtBearer grant type should allow to build Jwt based on the client registration information #9880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sclorng opened this issue Jun 8, 2021 · 1 comment
Closed

Client JwtBearer grant type should allow to build Jwt based on the client registration information #9880

sclorng opened this issue Jun 8, 2021 · 1 comment
Assignees
@jgrandja
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue

Comments

@sclorng
Copy link

sclorng commented Jun 8, 2021

Expected Behavior

As per RFC7521 and 7523, there is some claims that compose the Jwt that are related to the client registration like issuer or client_id.

When making a call like

String body = webClient
    .get()
    .attributes(clientRegistrationId("client-jwt-bearer").andThen(authentication(authentication)))
    .retrieve()
    .bodyToMono(String.class)
    .block();

It would be easier to have direclty access to the client Registration for building the authentication instance.

Current Behavior

Client code must inject ClientRegistrationRepository/Service, in order get the client registration information to build the token and then make the webclient call. It complicates the code and give tight the code to security concerns.
It makes things more complicated when using a default client as we must deal with setting the default client Id everywhere while it is already, but uselessly, configured on the ServletOAuth2AuthorizedClientExchangeFilterFunction.

Context

Having #9879 resolved, this should be easy to fix.
@sclorng sclorng added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Jun 8, 2021
@jgrandja jgrandja mentioned this issue Sep 2, 2021
Closed
@jgrandja
Copy link
Contributor

@sclorng I re-opened gh-9812, which will address:

It would be easier to have direclty access to the client Registration for building the authentication instance.

Your suggested improvement on exposing a Converter<OAuth2AuthorizationContext, Jwt> will provide access via OAuth2AuthorizationContext.getClientRegistration().

I'll close this as a duplicate and we'll address your concerns in gh-9812.

@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Oct 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jgrandja @sclorng