-
Notifications
You must be signed in to change notification settings - Fork 135
-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support OIDC as part of autoconfiguration #86
Comments
Hi @TheFonz2017, thanks for the request. Your request basically does not consider multi-tenancy support.
Further references: |
Hi Nena, can you please check the assumption that customers should be able to configure their own tenant-specific public keys for XSUAA? I have a few doubts about it. Two observations:
Btw. where would a customer maintain these public keys today? Is there a UI in Cloud cockpit? As to your second point about the issuer URI: that is currently a limitation of XSUAA. If you are looking for an implementation of the open-id configuration endpoint returning the proper (even tenant-specific) issuer URI, let me know. I have an internal sample implementation available. Cheers! |
Hi @TheFonz2017 we will consider the OIDC flow in one of our next versions. Best regards, |
IAS OIDC Token validation is supported by java-security and spring-security for multi-tenant enabled applications. |
XsuaaJwtDecoder
is aJwtDecoder
which needs to be exposed by applications to profit from theXsuaaAudienceValidator
. However, the way it is implemented does not properly reflect the Spring Security standard OAuth2TokenValidator configurationsIn fact, the way Spring Security auto-configures
OAuth2TokenValidator
s is more involved as can be seen in classorg.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwkConfiguration
.Spring Security checks if the user has configured the
spring.security.oauth2.resourceserver.jwt.jwk-set-uri
, and if so, will configure a JwtDecoder with the following default JwtValidators (seeJwtValidators.createDefault()
):JwtTimestampValidator()
.If the user configured the
spring.security.oauth2.resourceserver.jwt.issuer-uri
, however, Spring Security adds the following JwtValidators (seeJwtValidators.createDefaultWithIssuer(...)
):XsuaaJwtDecoder
does not reflect that properly in its implementation:A more correct approach would be to replicate the behaviour of Spring Security (as given in
org.springframework.boot.autoconfigure.security.oauth2.resource.servlet.OAuth2ResourceServerJwkConfiguration
):The text was updated successfully, but these errors were encountered: