Spring Security Provide audience validation support

Summary

As I can see there is no audience validation support provided by the framework side, but it is pretty common case: https://tools.ietf.org/html/rfc7519#section-4.1.3

Actual Behavior

The "optional" audience validation support is not provided.

Expected Behavior

The "optional" audience validation support is provided.

Version

Currently I'm using 5.2.2.RELEASE one.

Sample

For a few of my projects I need to support audience issuer validation and I can actually do this, but since this is pretty common case for OAuth 2.0 specification I would like to have such configuration from the framework side. I think optional audience property should be added to OAuth2ResourceServerProperties so when passed - the JwtAudienceValidator should be enabled.

Comment From: jzheaux

Thanks for the suggestion, @20fps.

I agree that audience validation is rather common. It's also in the JWT RFC that it must be recognized by resource servers if present:

If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.

Because of that, I agree that audience validation for resource servers should be simple to configure.

Currently, it is rather simple to add via JwtClaimValidator in 5.3:

private OAuth2TokenValidator<Jwt> jwtValidator() {
    String issuer = this.properties.getJwt().getIssuerUri();
    return new DelegatingOAuth2TokenValidator<>(
            JwtValidators.createDefaultWithIsssuer(issuer),
            new JwtClaimValidator(AUD, aud -> aud != null && aud.contains("my-audience")));
}

Can you elaborate on why you think it should be property-driven? I guess I'm looking for an understanding of what makes aud different from other JWT claims, which also are not property-driven. Another option might be to further simplify the Java config, for example.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

Comment From: simon-an

When the JWT is an OpenId Connect Token, then the aud claim is mandatory and identifies the clients, allowed to access the resource sever. For this usecase, it should be possible o pass a list of audiances as a property which contain the client ids of the applications allowed to access the resource server.

https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth aud REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.