Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens #439

Open
andifalk opened this issue Sep 15, 2021 · 8 comments
Open

Support JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens #439

andifalk opened this issue Sep 15, 2021 · 8 comments
Labels
type: enhancement A general enhancement

Comments

@andifalk
Copy link

Expected Behavior
There is a new IETF specification for JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens which has already been approved by the IESG and will be published as final RFC very soon.
This specification aims to provide a standardized and interoperable profile as an alternative to the proprietary JWT access token layouts going forward.
This adds the following details for compliant JWT access tokens:

  • JWT access tokens MUST include "at+jwt" in the "typ" header parameter to explicitly declare that the JWT represents an access token
  • JWT access tokens require at least the following claims: iss, exp, aud, sub, client_id, iat, jti
  • Claims for Authorization are standardized using "roles", "groups", "entitlements" as defined in RFC7643

At least, it should be configurable to issue JWT access tokens supporting this new standardization effort.

Current Behavior
Currently, JWT access tokens issued are not following/supporting this new specification

Context
Note: I also added an issue to the spring security project (spring-projects/spring-security#10272) for documenting the required configuration to validate such tokens as part of the reference docs.
@andifalk andifalk added the type: enhancement A general enhancement label Sep 15, 2021
@gsdukbh
Copy link

gsdukbh commented Sep 16, 2021

good , I'm really looking forward to it.

@gsdukbh
Copy link

gsdukbh commented Sep 16, 2021

good , I'm really looking forward to it.

Recently, I have been thinking about how to use what I have to achieve the effect of JWT, but I am not very satisfied.

@jgrandja
Copy link
Collaborator

Thanks @andifalk ! We'll look at implementing this in one of the upcoming releases.

@jgrandja jgrandja added the status: on-hold We can't start working on this issue yet label Sep 22, 2021
@nickcaballero
Copy link

Most of the required claims are there, except for client_id and jti.

public class Customizer implements OAuth2TokenCustomizer<JwtEncodingContext> {
    @Override
    public void customize(JwtEncodingContext context) {
        context.getClaims()
                .id(UuidUtils.randomUuid())
                .claim("client_id",
                        context.getRegisteredClient()
                                .getClientId());
    }
}

@lcxw
Copy link

lcxw commented Dec 3, 2021

good , I'm really looking forward to it too.

@jgrandja jgrandja removed the status: on-hold We can't start working on this issue yet label Dec 11, 2024
@jgrandja jgrandja moved this to Planning in Spring Security Team Dec 11, 2024
@chenzhenjia
Copy link

Any updates?

@jgrandja
Copy link
Collaborator

@chenzhenjia We're targeting this for 1.5 release.

@chenzhenjia
Copy link

@chenzhenjia We're targeting this for 1.5 release.

Thanks, when will 1.5 be released?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: enhancement A general enhancement
Projects
Spring Security Team
Status: Planning
Milestone
No milestone
Development

No branches or pull requests
6 participants
@nickcaballero @andifalk @jgrandja @chenzhenjia @lcxw @gsdukbh