Spring Security Support Certificate-Bound (POP) JWT Access Token Validation

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-pop-architecture-08 https://tools.ietf.org/id/draft-ietf-oauth-pop-key-distribution-04.html

Expected Behavior Proof of possession enables client authentication on requests to resource servers. The oauth2 authorization server signs a JWT-formatted access token which includes the public key of client. The resource server verifies the access token against the AS JWKS, and also verifies the access token (or some part of it) against the client's public key (contained in the cnf claim, or confirmation).

I'm not fully clear on how the client would pass the signature (or shared secret and hash in the case of symmetric), so would need to figure that out for an implementation. Does anyone know a standard for this?

With some boot or web integrations, this feature could be enabled easily by a spring security user with (some variation) of the following (reactive) code:

@EnableWebFluxSecurity
class {
  @Bean
  public SecurityWebFilterChain webFilterChain(ServerHttpSecurity http) {
    http.oauth2ResourceServer().proofOfPossession();
  }
}

Current Behavior Would have to implement custom token validation or some such to make it work.

Context Client to resource server authentication is becoming a best practice in the industry and would enhance spring security greatly.

Comment From: segevmalool

I think the move here (for reactive at least) would be to implement an extension of NimbusReactiveJwtDecoder (say, NimbusPopReactiveJwtDecoder) that includes the functionality to verify the client signature.

Then the API would be a method on ServerHttpServer.Oauth2ResourceServerSpec.JwtSpec to set the extended decoder.

I'm guessing most of these have analogous implementation on the non-reactive side of things.

Comment From: segevmalool

Another implementation option might be to add a static method to JwtValidators and add a new validator class for the PoP validation.

Comment From: jgrandja

@segevmalool We're planning on implementing this on the Authorization Server side in spring-authorization-server#101. We'll then implement the Resource Server side validation.

Comment From: jgrandja

This feature has been merged via https://github.com/spring-projects/spring-security/commit/644cfa9f875409d2b2bf01cd791d1a906e44c500.

Added a new OAuth2TokenValidator<Jwt> that validates the x5t#S256 claim in the Jwt against the SHA-256 Thumbprint of the supplied X509Certificate. This implementation is for the Servlet stack. See gh-14887 for the Reactive stack and gh-14888 for "opaque" access token validation.

Relevant specification:

• 3. Mutual-TLS Client Certificate-Bound Access Tokens
• 3.1. JWT Certificate Thumbprint Confirmation Method