Spring Security Adding 'audience' to ClientRegistration for OAuth2.0 client-credentials flow

Summary

There doesn't seem to be a way to specify the audience/resource server for a token request to an authorization server via client-credentials grant-type flow.

Actual Behavior

There is no way obvious way to define the audience of the token, when requesting for a token.

Expected Behavior

There should be a way to specify an 'aud' with the creation of the ClientRegistration object.

Configuration

Spring Boot 2.2.0.M4 project Java 12 maven

Version

Spring Security 5.2.0.M3

Sample

The payload of the jwt token that is returned should contain the audience as specified in the request. ie:

Request:

curl -X POST \
  https://login.microsoftonline.com/31f52c3f-25dd-415f-b9b9-36a2e0391777/oauth2/token \
  -d 'grant_type=client_credentials&client_id=<my_client_id>&client_secret=<my_client_secret>&resource=https%3A%2F%2Fmy-resource.com'

Payload of returned JWT token:

{
  "aud": "https://my-resource.com",
  "iss": "https://sts.windows.net/31f52c3f-25dd-415f-b9b9-36a2e0391777/",
  "iat": 1567705779,
  "nbf": 1567705779,
  "exp": 1567709679,
  ...
}

Comment From: jgrandja

@j-chao The aud claim in a JWT will only be returned depending on the Authorization Server configuration for the Client. The Client can only request one or more scope, as per the Client Credentials Access Token Request, and based on the requested scope(s) the Authorization Server will assigned one or more aud in the returned JWT.

So assigning an aud to a ClientRegistration doesn't make sense here as it will be completely ignored (or rejected) by a standard Authorization Server. Take a look at the Client Registration metadata in the Authorization Server in combination with the scope registered and requested by the Client.

I'm going to close this as answered.

As an FYI, there is a way to customize the Access Token request for non-standard parameters (resource). See the documentation for DefaultAuthorizationCodeTokenResponseClient which would be very similar to how DefaultClientCredentialsTokenResponseClient would be customized.

Comment From: ahezzati

@jgrandja some authorization servers like Auth0 mandates "audience" in the request body, if it is not there it returns "Non-global clients are not allowed access to APIv1" failure message. https://medium.com/@svkristof_86488/non-global-clients-are-not-allowed-access-to-apiv1-88877f1e855b

The work around I did was to put property for each audience, all of them have the same key value except the last value should match registrationId, and I made the concatenation in my custom Converter<OAuth2ClientCredentialsGrantRequest, RequestEntity<?>> where I add "audience" as a form parameter. Example will be: myapplication.audience.abc=audience1, myapplication.audience.xyz=audience2 where (abc) and (xyz) are registrationIds.

It works but it will be better if it is supported out-of-the-box from Spring Boot.

Comment From: pierre-sion

Postman offers the possibility to customize the "audience" and "resource" parameters when requesting a token using the client-credentials flow. It shows that there is a need for such a feature.

Comment From: Biglr

@jgrandja some authorization servers like Auth0 mandates "audience" in the request body, if it is not there it returns "Non-global clients are not allowed access to APIv1" failure message. https://medium.com/@svkristof_86488/non-global-clients-are-not-allowed-access-to-apiv1-88877f1e855b

Yeah, I had the same problem. It would be great if this could be added to spring security, would've saved me a couple of hours of debugging, digging and frustration...

If any one should require some assistance, let me know. I might be able to save you some time

Comment From: wujek-srujek

Please consider reopening this and implementing this feature. Especially since the 'status: invalid' label is invalid.