Issue of private_key_jwt authentication type token issuance (JwtClientAssertionAuthenticationConverter) #16945
Description
Logic within Jwt Client AuthenticationConverter
f you look at the token issuance logic of the private_key_jwt authentication type,
It says to send client_id as a parameter.
If you only look at the RFC 7523 standard, a separate client_id parameter is not required because it identifies the client with an iss/sub claim within the client_assertion.
It seems that branch processing is required for each type of authentication.
@Nullable
public Authentication convert(HttpServletRequest request) {
MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getFormParameters(request);
if (parameters.getFirst("client_assertion_type") != null && parameters.getFirst("client_assertion") != null) {
String clientAssertionType = (String)parameters.getFirst("client_assertion_type");
if (((List)parameters.get("client_assertion_type")).size() != 1) {
throw new OAuth2AuthenticationException("invalid_request");
} else if (!JWT_CLIENT_ASSERTION_AUTHENTICATION_METHOD.getValue().equals(clientAssertionType)) {
return null;
} else {
String jwtAssertion = (String)parameters.getFirst("client_assertion");
if (((List)parameters.get("client_assertion")).size() != 1) {
throw new OAuth2AuthenticationException("invalid_request");
} else {
String clientId = (String)parameters.getFirst("client_id"); // <========== this line.
if (StringUtils.hasText(clientId) && ((List)parameters.get("client_id")).size() == 1) {
Map<String, Object> additionalParameters = OAuth2EndpointUtils.getParametersIfMatchesAuthorizationCodeGrantRequest(request, new String[]{"client_assertion_type", "client_assertion", "client_id"});
return new OAuth2ClientAuthenticationToken(clientId, JWT_CLIENT_ASSERTION_AUTHENTICATION_METHOD, jwtAssertion, additionalParameters);
} else {
throw new OAuth2AuthenticationException("invalid_request");
}
}
}
} else {
return null;
}
}