Add support dpop customization

[franticticktick]

Currently dpop can't be configured. OAuth2ResourceServerConfigurer has dPoPAuthenticationConfigurer and it is already initialized with DPoPAuthenticationConfigurer and in configure method it is always applied to http. It would be nice to separate dpop configuration instead of applying it by default.
For example:

		@Bean
		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
			// @formatter:off
			http
				.authorizeHttpRequests((authorize) ->
					authorize.anyRequest().authenticated()
				)
				.oauth2ResourceServer((oauth2ResourceServer) ->
					oauth2ResourceServer
						.jwt(Customizer.withDefaults())
						.dpop(Customizer.withDefaults())
				);
			// @formatter:on
			return http.build();
		}

[jgrandja]

@franticticktick Can you provide some specific use cases on what you need to customize for a DPoP flow?

[franticticktick]

@jgrandja Firstly, it would be nice if dpop was optional, now it is always enabled. Secondly, the same Authorization header is specified everywhere, it is standard, but it can be different, which is a normal situation. That is, at least I want to be able to customize authenticationConverter and requestMatcher. In addition, I may need additional audit of successful authentication and I need a custom AuthenticationSuccessHandler.

[franticticktick]

@jgrandja I can prepare a PR if this ticket is relevant.

[jgrandja]

Thank you @franticticktick. I've assigned it to you.

No rush as this is scheduled for 7.0.x.

[pheyken]

Hi @franticticktick & @jgrandja,

while trying out spring-boot 3.5.0 (which includes spring-security 6.5.0) we noticed that our setup does not work anymore due to the auto init of DPoP.

We are using the oauth 2.0 resource server with an OpaqueTokenIntrospector and not JWT, therefore we do not have spring-security-oauth2-jose as a dependency and the classes are not on the class path during runtime.

A ClassNotFoundException (org.springframework.security.oauth2.jwt.JwtException) is thrown during start-up while configuring DPoP.

In the end there are three possible solutions for us:

• we just include spring-security-oauth2-jose as a dependency. however, this would be temporary mitigation
• DPoP is only configured in case of JWT being enabled / spring-security-oauth2-jose on the class path
• there is an option to disable DPoP

Due to the third option I figured this could be part of this issue and I opted to comment first instead of creating a separate issue.

Please let me know if you think this should be a separate issue, or if I can support in any way here.

[franticticktick]

Hi @pheyken Indeed, such a problem exists. But it seems to me that this is a rather rare case. If you have a stable working solution, then it would be good if you wait until we finish working on this ticket. If this problem is still widespread, then we can consider the possibility of disabling dpop.

[jgrandja]

@pheyken As you already noticed, DPoP is enabled by default and it does require the spring-security-oauth2-jose dependency. There is no way to disable DPoP so as a temporary workaround you need to include spring-security-oauth2-jose dependency. This ticket will address the 3rd option:

there is an option to disable DPoP