Expected Behavior
I'd like to see spring security support "urn:ietf:params:oauth:grant-type:saml2-bearer" as a valid authorization grant type.
Current Behavior
Support appears to be missing.
Context
As far as I can tell, both "urn:ietf:params:oauth:grant-type:saml2-bearer" and "urn:ietf:params:oauth:grant-type:jwt-bearer" are in RFC status, but it looks like JWT is supported, but not SAML.
JWT RFC: https://datatracker.ietf.org/doc/html/rfc7523 SAML RFC: https://datatracker.ietf.org/doc/html/rfc7522
Current grant types: https://github.com/spring-projects/spring-security/blob/33d904d7080dc8118661e4b8e930ffec2c97bb5b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java#L63
Is this on purpose / intentional, or is it due to a lack of interest / contributions on the SAML side? Thanks
Comment From: sjohnr
Hi @vonnahme, thanks for opening your first issue!
I believe this is the first time anyone has requested this feature. For that reason, it would probably be fairly low priority unless folks in the community see this issue and begin up-voting it (using 👍). Having said that, if you or someone else was interested in taking it on, I think we would be interested in accepting the contribution. Is that something you'd be interested in taking on?
Comment From: vonnahme
I think we would be interested in accepting the contribution. Is that something you'd be interested in taking on?
I may be able to contribute this - I believe the classes will be very similar to the JWT classes.
A couple questions: 1. Can I contribute this to the 5.7.x branch? That's the version we're currently on, so we'd get value sooner by it being in there rather than being in 6.x 2. In https://github.com/spring-projects/spring-security/blob/c3d28a72a23436c8a9344e763f38b34ebef82e9b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/JwtBearerOAuth2AuthorizedClientProvider.java#L49 and https://github.com/spring-projects/spring-security/blob/c3d28a72a23436c8a9344e763f38b34ebef82e9b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/JwtBearerGrantRequest.java#L44, the code makes reference to the Jwt class included in 'spring-security-oauth2-jose'. Is there a similar spring class that represents SAML? Would it be https://github.com/spring-projects/spring-security/blob/c3d28a72a23436c8a9344e763f38b34ebef82e9b/saml2/saml2-service-provider/src/main/java/org/springframework/security/saml2/provider/service/authentication/Saml2Authentication.java ?
Comment From: sjohnr
Can I contribute this to the 5.7.x branch?
Sadly, no. We add new features to the latest development branch (main). Currently, the earliest it could be available is 6.2 but we would not know when it could be released until the work is completed.
the code makes reference to the Jwt class included in 'spring-security-oauth2-jose'. Is there a similar spring class that represents SAML?
I would need to learn a bit more about the SAML support (or collaborate with team members) to assist more, but I believe you are correct that it would be Saml2Authentication, but that would be equivalent to JwtAuthenticationToken in oauth2-resource-server.
I don't know that there is a direct analogue to Jwt which is a generic container for a parsed JWT, but there is a String saml2Response. Saml2Authentication also holds Saml2AuthenticatedPrincipal (implemented by DefaultSaml2AuthenticatedPrincipal) which I believe the parsed representation of the SAML response.
What we would not want to do with this feature is introduce a dependency on saml2-service-provider from oauth2-client. So any assertion resolvers would need to be maintained in the saml2 code, and provided generically to the OAuth2AuthorizedClientProvider you would build. Does that make sense?
Comment From: marcusdacoregio
Closing this as duplicate of https://github.com/spring-projects/spring-security/issues/7581