Skip to content
This repository has been archived by the owner on May 31, 2022. It is now read-only.

Add TokenStore supporting JWT verification using JWK #977

Closed
jgrandja opened this issue Feb 13, 2017 · 4 comments
Closed

Add TokenStore supporting JWT verification using JWK #977

jgrandja opened this issue Feb 13, 2017 · 4 comments
Assignees
@jgrandja
Labels
type: enhancement
Milestone
2.1.0

Comments

@jgrandja
Copy link
Contributor

It would be very useful to have a TokenStore implementation that verifies a JWT using a JSON Web Key (JWK).

The main goal of this implementation would be to verify a JWT using the corresponding JWK. The JWK used for verification is matched using the kid header parameter of the JWT and the kid attribute of the JWK.

The implementation would be responsible for fetching the JWK Set (the set of available JSON Web Key's) from the supplied URL.

Related Specifications

JSON Web Token (JWT)

JSON Web Key (JWK)

JSON Web Signature (JWS)

JSON Web Encryption (JWE)

JSON Web Algorithms (JWA)
@jgrandja jgrandja self-assigned this Feb 13, 2017
@jgrandja jgrandja added this to the 2.0.13 milestone Feb 13, 2017
This was referenced Feb 13, 2017
Open
Closed
@making making mentioned this issue Feb 21, 2017
Open
jgrandja added a commit that referenced this issue Feb 24, 2017
@jgrandja
Polish TokenStore supporting Jwk verification
2bea96b 
Add tests
Add javadoc
Fix bug to work with UAA 3.11.0

Issue gh-977
jgrandja added a commit to jgrandja/spring-security-oauth that referenced this issue Mar 1, 2017
@jgrandja
Polish spring-atticgh-977
4a8562c 
Fixes spring-atticgh-994
jgrandja added a commit to jgrandja/spring-security-oauth that referenced this issue Mar 1, 2017
@jgrandja
Polish spring-atticgh-977
44c9737 
Fixes spring-atticgh-994
rwinch pushed a commit to rwinch/spring-security-oauth that referenced this issue Mar 2, 2017
@jgrandja
Add TokenStore supporting Jwk verification
6effde4 
Fixes spring-atticgh-977
rwinch pushed a commit to rwinch/spring-security-oauth that referenced this issue Mar 2, 2017
@jgrandja
Polish TokenStore supporting Jwk verification
71e0a48 
Add tests
Add javadoc
Fix bug to work with UAA 3.11.0

Issue spring-atticgh-977
rwinch pushed a commit to rwinch/spring-security-oauth that referenced this issue Mar 2, 2017
@jgrandja
Polish spring-atticgh-977
faf99be 
Fixes spring-atticgh-994
rwinch pushed a commit to rwinch/spring-security-oauth that referenced this issue Mar 2, 2017
@jgrandja
Polish TokenStore supporting Jwk verification
63a70cc 
Add tests
Add javadoc
Fix bug to work with UAA 3.11.0

Issue spring-atticgh-977
rwinch pushed a commit to rwinch/spring-security-oauth that referenced this issue Mar 2, 2017
@jgrandja
Polish spring-atticgh-977
99d94d0 
Fixes spring-atticgh-994
@jgrandja jgrandja modified the milestones: 2.1.0, 2.0.13 Mar 3, 2017
@jgrandja jgrandja mentioned this issue Mar 3, 2017
Closed
puug pushed a commit to consoleau/spring-security-oauth that referenced this issue Mar 5, 2017
@jgrandja
Add TokenStore supporting Jwk verification
565230f 
Fixes spring-atticgh-977
puug pushed a commit to consoleau/spring-security-oauth that referenced this issue Mar 5, 2017
@jgrandja
Polish TokenStore supporting Jwk verification
2030fbc 
Add tests
Add javadoc
Fix bug to work with UAA 3.11.0

Issue spring-atticgh-977
puug pushed a commit to consoleau/spring-security-oauth that referenced this issue Mar 5, 2017
@jgrandja
Polish spring-atticgh-977
082d069 
Fixes spring-atticgh-994
@yelhouti
Copy link

yelhouti commented Mar 6, 2017

Thanks for the great work, could we have something like: jwks-uri in the application.yml/properties that create the store authomaticaly.
this should be the default way for validating id_token. othere fields are now mendatory in the .yml we shoudl have the choice between them and this.
thanks

@jgrandja
Copy link
Contributor Author

jgrandja commented Mar 6, 2017

@yelhouti This question should be posted in the Spring Boot GitHub as it's related to custom configuration properties in application.yml.

On that note, Spring Boot 1.5.2 has added a new configuration property related to this issue

security.oauth2.resource.jwk.key-set-uri: [URL to JWK Set]

You mentioned the following...

this should be the default way for validating id_token

Please note that Spring Security OAuth currently does not provide support for OpenID Connect so there is no validation/verification of id_token.

We are currently working on a re-write of OAuth and integrating it into Spring Security proper and it will provide support for OpenID Connect. You can track the issue here

@jgrandja jgrandja mentioned this issue Mar 6, 2017
Closed
@yelhouti
Copy link

yelhouti commented Mar 6, 2017

Indeed I forgot to update spring boot in gradle.properties: springBootVersion = '1.5.2.RELEASE'
Good luck for the re-write, you might want to have a look a this repo: https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
Hope it helps or you already know it.
thanks and keep up the good work.

@jgrandja
Copy link
Contributor Author

jgrandja commented Mar 6, 2017

Thanks @yelhouti. Yes, I have already looked at MITREid Connect.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jgrandja jgrandja

Labels
type: enhancement
Milestone
2.1.0
Development

No branches or pull requests
2 participants
@yelhouti @jgrandja