Support generating RFC 9068 compliant JWT access tokens #18325
Description
Expected Behavior
NimbusJwtEncoder should allow the user to specify whether it should generate JWT access tokens complying to RFC 9068 or not. If RFC 9068 compliant JWT access tokens are anticipated, it should validate the existence of required claims before generation, and produces a JWT with the typ header as "at+jwt" as well as required claims; otherwise the typ should be "JWT" as before for compatibility.
For ease of use, we could consider adding support for configuring the default values of shared claims in the builders (i.e., RsaKeyPairJwtEncoderBuilder, EcKeyPairJwtEncoderBuilder, and SecretKeyJwtEncoderBuilder), and allow these values to be merged with (and overriden by) JwtEncoderParameters.claims passed to NimbusJwtEncoder#encode().
The code could look like:
JwtClaimsSet sharedClaims = JwtClaimsSet.builder()
.issuer("https://as.example.com")
.audience("https://rs.example.com")
.build();
JwtEncoder jwtEncoder = NimbusJwtEncoder.withKeyPair(publicKey, privateKey)
.useAtJwt(true)
.defaultClaims(sharedClaims)
.build();
Instant now = Instant.now();
JwtClaimsSet detailedClaims = JwtClaimsSet.builder()
.subject("5ba552d67")
.issuedAt(now)
.expiresAt(now.plus(Duration.ofMinutes(30)))
.clientId("s6BhdRkqt3")
.build();
Jwt jwt = jwtEncoder.encode(JwtEncoderParameters.from(detailedClaims);
// It should throw JwtEncodingException because of missing the required `jti` claim.We should also consider adding configurator options to set up RFC 9068 JWT access token generation for Spring Security OAuth2 Authorization Server.
Current Behavior
Spring Security supports validation of RFC 9068 JWT access tokens. However, NimbusJwtEncoder can only generates a JWT without typ or with typ as "JWT":
- if it's constructed with
public NimbusJwtEncoder(JWKSource<SecurityContext> jwkSource), there's notypin the JWS header; - if it's built by a builder using
private NimbusJwtEncoder(JWK jwk), thetypwill be"JWT".