Comments (6)
jgrandja
commented on May 24, 2024
@jworner I haven't seen anywhere in the specs where an Authorization Server MAY support multiple client_secret's per client registration. This seems like a proprietary implementation in Azure. I believe this capability belongs in the consuming application, instead of the framework code.
Furthermore, it's recommended to use either private_key_jwt or tls_client_auth (even self_signed_tls_client_auth) for production deployments as those methods are far more secure then client_secret_basic. Additionally, those methods inherently support key rotation. FYI, private_key_jwt has been supported since 1.0 and tls_client_auth and self_signed_tls_client_auth is being released in the upcoming 1.3 release.
I'm going to close this as I don't believe this capability is defined in any of the specs. If you're able to provide me a link to a spec defining this capability, then we'll consider re-opening this for further discussion. Regardless, I would recommend using private_key_jwt, tls_client_auth or self_signed_tls_client_auth.
from spring-authorization-server.
konstantinj
commented on May 24, 2024
Hi @jgrandja just came across this for the same reason. Using private_key_jwt sounds like a good idea. Unfortunately I can't find any documentation how to use it. I guess there is none yet? #781
I do not understand where to handle the keys for each client.
from spring-authorization-server.
jgrandja
commented on May 24, 2024
@konstantinj See gh-781 as it provides a link to a branch with a working sample configuration. I just rebased that branch on main so it's up-to-date. We'll add the How-to guide in the next release.
from spring-authorization-server.
konstantinj
commented on May 24, 2024
@jgrandja thanks, this is the configuration on the client side?
I was looking for the components that are missing on server side like the JWKS storage and a reference implementation to push the keys to that storage.
from spring-authorization-server.
jgrandja
commented on May 24, 2024
@konstantinj Please take the time to review the sample. It's a complete sample with both client and authorization server configuration demonstrating the client_credentials grant flow.
I was looking for the components that are missing on server side like the JWKS storage
The JWK used to sign the client_assertion comes from the JWKSource stored on the client side NOT the authorization server side.
You can review JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants to see how private_key_jwt client authentication works.
from spring-authorization-server.
Related Issues (20)
- Update to Spring Framework 6.0.19
- Update to Spring Security 6.1.9
- Update to Spring Framework 6.1.6
- Update to Spring Security 6.2.4
- Update to Spring Framework 6.1.6
- Update to Spring Security 6.3.0-RC1
- Update to org.bouncycastle 1.78
- Update to spring-security-release-plugin 1.0.3
- Update to spring-security-release-plugin 1.0.3
- Update to spring-security-release-plugin 1.0.3
- One-way storage of refresh tokens is better supported if the refresh token is reused HOT 5
- Enable refresh of JwkSet in X509SelfSignedCertificateVerifier
- docs: example of testing pkce against split resource server HOT 5
- Impossible to login after session timeout HOT 2
- Customize the sendAuthorizationConsent in OAuth2DeviceVerificationEndpointFilter . HOT 1
- Allow logout request to be sent without an id_token_hint HOT 1
- Add impersonation sample for token exchange
- Update to actions/checkout@v4
- Introspection can't work HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-authorization-server.