Describe the bug I use Spring Boot 2.5.0 where Spring Security 5.5.0 is included.
From issue https://github.com/spring-projects/spring-security/issues/8175 I read that "partial" support for JWT OAuth 2.0 Client Authentication and Authorization Grant is implemented.
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#second-case-access-token-request-with-a-certificate
I set up everything in Spring Boot and initiate token access chain.
It seems like Header parameters "x5t:base64EncodedThumprintHere" and "typ:JWT" inside the signed client_assertion are not sent to to the Azure AD at all, only ALG:RS256 is sent in the Header. Claims are created correctly.
During debug I observe that in method "private static JoseHeader addKeyIdentifierHeadersIfNecessary(JoseHeader headers, JWK jwk)" in NimbusJwsEncoder.java neither "x5t:base64thumbprinthere" nor typ:JWT header gets added. On the other hand I am able to get the "x5t#S256" parameter populated, but Azure AD does not accept it.
To Reproduce
Expected behavior "x5t:base64EncodedThumprintHere" and "typ:JWT" should be added to the header.
Related gh-9208
Comment From: jgrandja
Thanks for the report @marcerik.
You mention x5t:base64EncodedThumprintHere but do you mean the x5t header?
The ability to customize the Jwt client assertion will be allowed after we merge gh-9208. See this related comment.
Comment From: marcerik
Sorry for the confusion. What I mean is that the the "x5t" and "typ" header parameters are missing from the client_assertion.
Comment From: jgrandja
No worries @marcerik. This issue will be resolved after gh-9208 is merged, which will provide the ability to fully customize the Jwt assertion.
Comment From: jgrandja
@marcerik I'm going to close this as a duplicate of gh-9855.
Please follow gh-9855 to ensure the enhancement meets your requirements. It's planned for 5.7.x.