Add possibility to customize refresh token and DPoP binding

[makcpopTwo]

Expected Behavior

It should be possible to customize refresh token and DPoP binding, so engineers can use any binding scheme.

Current Behavior

Currently, it is not possible to customize this. Only one scheme is supported: binding through access_token

Context

The DPoP RFC is not specify how to bind refresh token and DPoP link does not specify how to bind the refresh token to DPoP; instead, it leaves this decision to the authorization server.

Currently, I have an authorization server (not using the latest Spring Security version) with custom DPoP logic implemented. In my implementation, I store the DPoP thumbprint inside the refresh token, so I don't need to use the access token for the binding.

It would be very useful to be able to customize the binding (validation) process between DPoP and refresh tokens.

[jgrandja]

@makcpopTwo

It would be very useful to be able to customize the binding (validation) process between DPoP and refresh tokens.

Can you provide an example configuration that would allow you to customize the validation?

[makcpopTwo]

@jgrandja
Sorry for the delayed response.

I’ve created a POC — this is not a final implementation, just a conceptual demonstration.
I hope I correctly understood how Spring Security handles this flow.

1. Add a new interface for extracting the DPoP JWK thumbprint from the authorization

public interface JwkThumbprintClaimRefreshTokenExtractor {

	String extract(OAuth2Authorization authorization);
}

2. Modify OAuth2RefreshTokenAuthenticationProvider
   Add a JwkThumbprintClaimRefreshTokenExtractor field with a default implementation, allowing the behavior to be overridden if needed.
   The default implementation keeps the same logic as the current one.

public final class OAuth2RefreshTokenAuthenticationProvider implements AuthenticationProvider {
....
	private final OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator;

	private JwkThumbprintClaimRefreshTokenExtractor jwkThumbprintClaimExtractor;

	/**
	 * Constructs an {@code OAuth2RefreshTokenAuthenticationProvider} using the provided
	 * parameters.
	 * @param authorizationService the authorization service
	 * @param tokenGenerator the token generator
	 */
	public OAuth2RefreshTokenAuthenticationProvider(OAuth2AuthorizationService authorizationService,
			OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator) {
		Assert.notNull(authorizationService, "authorizationService cannot be null");
		Assert.notNull(tokenGenerator, "tokenGenerator cannot be null");
		this.authorizationService = authorizationService;
		this.tokenGenerator = tokenGenerator;
		this.jwkThumbprintClaimExtractor = oAuth2Authorization -> {
			// For public clients, verify the DPoP Proof public key is same as (current)
			// access token public key binding
			Map<String, Object> accessTokenClaims = oAuth2Authorization.getAccessToken().getClaims();
			ClaimAccessor claimAccessor = () -> accessTokenClaims;
			Map<String, Object> confirmationMethodClaim = claimAccessor.getClaimAsMap("cnf");

			String jwkThumbprintClaim = null;
			if (!CollectionUtils.isEmpty(confirmationMethodClaim) && confirmationMethodClaim.containsKey("jkt")) {
				jwkThumbprintClaim = (String) confirmationMethodClaim.get("jkt");
			}
			if (jwkThumbprintClaim == null) {
				OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_DPOP_PROOF, "jkt claim is missing.", null);
				throw new OAuth2AuthenticationException(error);
			}
			return jwkThumbprintClaim;
		};
	}

	public void setJwkThumbprintClaimExtractor(JwkThumbprintClaimRefreshTokenExtractor jwkThumbprintClaimExtractor) {
		this.jwkThumbprintClaimExtractor = jwkThumbprintClaimExtractor;
	}
....
    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        .... 
        if (dPoPProof != null
				&& clientPrincipal.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.NONE)) {
		verifyDPoPProofPublicKey(dPoPProof, authorization);
	}
        ...
    }
....

    private void verifyDPoPProofPublicKey(Jwt dPoPProof, OAuth2Authorization authorization) {
    	JWK jwk = null;
    	@SuppressWarnings("unchecked")
    	Map<String, Object> jwkJson = (Map<String, Object>) dPoPProof.getHeaders().get("jwk");
    	try {
    		jwk = JWK.parse(jwkJson);
    	}
    	catch (Exception ignored) {
    	}
    	if (jwk == null) {
    		OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_DPOP_PROOF,
    				"jwk header is missing or invalid.", null);
    		throw new OAuth2AuthenticationException(error);
	}

	String jwkThumbprint;
	try {
		jwkThumbprint = jwk.computeThumbprint().toString();
	}
	catch (Exception ex) {
		OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_DPOP_PROOF,
				"Failed to compute SHA-256 Thumbprint for jwk.", null);
		throw new OAuth2AuthenticationException(error);
	}

	String jwkThumbprintClaim = jwkThumbprintClaimExtractor.extract(authorization);

	if (!jwkThumbprint.equals(jwkThumbprintClaim)) {
		OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_DPOP_PROOF, "jwk header is invalid.", null);
			throw new OAuth2AuthenticationException(error);
	}
    }
}

3. Improve OAuth2TokenEndpointConfigurer
   If a bean of type JwkThumbprintClaimRefreshTokenExtractor exists, it should be injected into the provider, overriding the default extractor implementation.

public final class OAuth2TokenEndpointConfigurer extends AbstractOAuth2Configurer {
...
   private static List<AuthenticationProvider> createDefaultAuthenticationProviders(HttpSecurity httpSecurity) {
		List<AuthenticationProvider> authenticationProviders = new ArrayList<>();

		OAuth2AuthorizationService authorizationService = OAuth2ConfigurerUtils.getAuthorizationService(httpSecurity);
		OAuth2TokenGenerator<? extends OAuth2Token> tokenGenerator = OAuth2ConfigurerUtils
			.getTokenGenerator(httpSecurity);

		OAuth2AuthorizationCodeAuthenticationProvider authorizationCodeAuthenticationProvider = new OAuth2AuthorizationCodeAuthenticationProvider(
				authorizationService, tokenGenerator);
		SessionRegistry sessionRegistry = httpSecurity.getSharedObject(SessionRegistry.class);
		if (sessionRegistry != null) {
			authorizationCodeAuthenticationProvider.setSessionRegistry(sessionRegistry);
		}
		authenticationProviders.add(authorizationCodeAuthenticationProvider);

		OAuth2RefreshTokenAuthenticationProvider refreshTokenAuthenticationProvider = new OAuth2RefreshTokenAuthenticationProvider(
				authorizationService, tokenGenerator);
		authenticationProviders.add(refreshTokenAuthenticationProvider);
		JwkThumbprintClaimRefreshTokenExtractor jwkThumbprintClaimExtractor = httpSecurity
				.getSharedObject(JwkThumbprintClaimRefreshTokenExtractor.class);
		if (jwkThumbprintClaimExtractor != null) {
			refreshTokenAuthenticationProvider.setJwkThumbprintClaimExtractor(jwkThumbprintClaimExtractor);
		}

		OAuth2ClientCredentialsAuthenticationProvider clientCredentialsAuthenticationProvider = new OAuth2ClientCredentialsAuthenticationProvider(
				authorizationService, tokenGenerator);
		authenticationProviders.add(clientCredentialsAuthenticationProvider);

		OAuth2DeviceCodeAuthenticationProvider deviceCodeAuthenticationProvider = new OAuth2DeviceCodeAuthenticationProvider(
				authorizationService, tokenGenerator);
		authenticationProviders.add(deviceCodeAuthenticationProvider);

		OAuth2TokenExchangeAuthenticationProvider tokenExchangeAuthenticationProvider = new OAuth2TokenExchangeAuthenticationProvider(
				authorizationService, tokenGenerator);
		authenticationProviders.add(tokenExchangeAuthenticationProvider);

		return authenticationProviders;
	}
...
}

[makcpopTwo]

BTW, I would like to make a PR, but first I would like to discuss the best way to fix it

[jgrandja]

Thanks for the details @makcpopTwo.

Instead of introducing JwkThumbprintClaimRefreshTokenExtractor, we could enhance OAuth2RefreshTokenAuthenticationProvider with an authenticationValidator.

This pattern has already been implemented in OAuth2ClientCredentialsAuthenticationProvider and OAuth2AuthorizationCodeRequestAuthenticationProvider with each having an authenticationValidator where you can override the validation logic for specific parameters.

We could introduce a default authenticationValidator in OAuth2RefreshTokenAuthenticationProvider, which contains the existing validation logic (verifyDPoPProofPublicKey()) allowing you to override it and provide your own validator.

Would this work for you?

FYI, we're already tracking this proposed enhancement in spring-authorization-server#1941.

[therepanic]

I recently encountered a problem described in this issue: spring-projects/spring-authorization-server#1941. The problem is relatively old, but no one has solved it yet. I don't know how much this will solve the current problem, but I'll try to do it.