Summary
When registering a OAuth2 Provider, a JWK Set URI can be set, according to https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#oauth2login-boot-property-mappings
spring.security.oauth2.client.provider.[providerId].jwk-set-uri
From the documentation, it is not clear, that this URI is only used with OpenID Connect.
Actual Behavior
This URI is not respected by the OAuth2LoginAuthenticationProvider.
It is respected, when using the OidcAuthorizationCodeAuthenticationProvider (by setting the scope to openid).
Expected Behavior
Similiar to the Resource Server, the OAuth2LoginAuthenticationProvider should verify the JWT signature, when access token is a JWT and spring-security-oauth2-jose is in classpath.
If this is not wanted (as OAuth2 does not require the access token to be a JWT): At least, the documentation should be clarified, that the jwk-set-uri is only used when the scope openid is set.
Configuration
spring.security.oauth2.client.registration.authserver=authserver
spring.security.oauth2.client.registration.authserver.client-id=democlient
spring.security.oauth2.client.registration.authserver.client-secret=secret
spring.security.oauth2.client.registration.authserver.client-authentication-method=basic
spring.security.oauth2.client.registration.authserver.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.authserver.redirect-uri={baseUrl}/login/oauth2/code/authserver
spring.security.oauth2.client.registration.authserver.scope=read
spring.security.oauth2.client.registration.authserver.client-name=democlient
spring.security.oauth2.client.provider.authserver.authorization-uri=http://authserver:8080/oauth/authorize
spring.security.oauth2.client.provider.authserver.token-uri=http://authserver:8080/oauth/token
spring.security.oauth2.client.provider.authserver.jwk-set-uri=http://authserver:8080/.well-known/jwks.json
spring.security.oauth2.client.provider.authserver.user-info-uri=http://authserver:8080/me
spring.security.oauth2.client.provider.authserver.user-info-authentication-method=header
spring.security.oauth2.client.provider.authserver.userNameAttribute=user_name
Version
spring-security-oauth2-client:5.1.3
Comment From: jgrandja
Thanks for the report @jochenchrist.
From the documentation, it is not clear, that this URI is only used with OpenID Connect.
If you look at the docs for ClientRegistration, it states the following for jwkSetUri:
The URI used to retrieve the JSON Web Key (JWK) Set from the Authorization Server, which contains the cryptographic key(s) used to verify the JSON Web Signature (JWS) of the ID Token and optionally the UserInfo Response.
As an FYI, the ID Token is defined by OpenID Connect, hence the use of it in OidcAuthorizationCodeAuthenticationProvider and not OAuth2LoginAuthenticationProvider.
the
OAuth2LoginAuthenticationProvidershould verify the JWT signature, when access token is a JWT
As per the docs, the signature is verified on the ID Token not the Access Token. As far as the OAuth Client is concerned, the Access Token is always opaque to the client.
I'm going to close this issue as I feel the documentation outlines the required information. If you feel it needs further improvement, I can re-open to discuss further.
Comment From: kumarimanjari
@jgrandja - Hi, I am setting this property in my property file - spring.security.oauth2.client.provider.authserver.jwk-set-uri=http://authserver:8080/.well-known/jwks.json,
but getting I/O error in getting the jwks?
Any example how to set the rest template for this would be appreciated.
Spring Boot version - 3.2.0