You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
I have a client that expects JWT to be signed with symmetric secret using HMAC SHA-256 (HS256).
I'm not able to pass MacAlgorithm to TokenSettings.Builder.idTokenSignatureAlgorithm since it only accepts SignatureAlgorithm
To Reproduce
Try to register client with HS256 signing algorithm
Expected behavior
MacAlgorithm and SignatureAlgorithm both implement the same interface JwsAlgorithm.
Change Builder#idTokenSignatureAlgorithm to accept any JwsAlgorithm
or
Add overloaded function idTokenSignatureAlgorithm that accepts MacAlgorithm.
Sample
final RegisteredClient client= RegisteredClient.withId(UUID.randomUUID().toString())
...
.tokenSettings(TokenSettings.builder()
.idTokenSignatureAlgorithm(MacAlgorithm.HS256)
.build()
...
.build();
Workaround
Use OAuth2TokenCustomizer to change algorithm
@Bean
public JWKSource<SecurityContext> jwkSource() {
// Create a symmetric key
SecretKeySpec secretKeySpec = new SecretKeySpec("shared-secret".getBytes(StandardCharsets.UTF_8), JWSAlgorithm.HS256.getName());
// Create a JWK with the symmetric key
OctetSequenceKey jwk = new OctetSequenceKey.Builder(secretKeySpec)
.algorithm(JWSAlgorithm.HS256)
.keyID(UUID.randomUUID().toString())
.build();
// Create a JWK set with the JWK
JWKSet jwkSet = new JWKSet(jwk);
// Return an immutable JWK source backed by the JWK set
return new ImmutableJWKSet<>(jwkSet);
}
@Bean
public OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer() {
return (context -> {
if (context.getRegisteredClient().getClientId().equals("client")) {
context.getJwsHeader().algorithm(MacAlgorithm.HS256);
}
});
}
The text was updated successfully, but these errors were encountered:
id_token_signed_response_alg
OPTIONAL. JWS alg algorithm [JWA] REQUIRED for signing the ID Token issued to this Client. The value none MUST NOT be used as the ID Token alg value unless the Client uses only Response Types that return no ID Token from the Authorization Endpoint (such as when only using the Authorization Code Flow). The default, if omitted, is RS256. The public key for validating the signature is provided by retrieving the JWK Set referenced by the jwks_uri element from OpenID Connect Discovery 1.0 [OpenID.Discovery].
Notice the text in bold - the public key is used to validate the signature. This implies asymmetric keys and the default is RS256.
If the JWT alg Header Parameter uses a MAC based algorithm such as HS256, HS384, or HS512, the octets of the UTF-8 [RFC3629] representation of the client_secret corresponding to the client_id
The client_secret is used as the symmetric key.
I'm going to close this as TokenSettings.IdTokenSignatureAlgorithm is expected to be a SignatureAlgorithm.
Describe the bug
I have a client that expects JWT to be signed with symmetric secret using HMAC SHA-256 (HS256).
I'm not able to pass MacAlgorithm to
TokenSettings.Builder.idTokenSignatureAlgorithm
since it only accepts SignatureAlgorithmTo Reproduce
Try to register client with HS256 signing algorithm
Expected behavior
MacAlgorithm and SignatureAlgorithm both implement the same interface JwsAlgorithm.
or
Sample
Workaround
Use OAuth2TokenCustomizer to change algorithm
The text was updated successfully, but these errors were encountered: