spring-authorization-server icon indicating copy to clipboard operation
spring-authorization-server copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

Add support for OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

Open tlodderstedt opened this issue 4 years ago • 16 comments

Expected Behavior Support for RFC 8705 would allows clients to authenticate using TLS certificates and to bind access tokens to such certificates.

Current Behavior Addition of client authentication with public client crypto increases the security capabilities of this project.

Context There are several advantages:

  • Certificate-based authentication is more secure than shared secrets since the secret is managed at the client only. This reduces the attack surface at the AS.
  • Binding access tokens to certificates allows replay detection at the RS (recommended by the OAuth Security BCP). RFC 8705 provides a simple technical solution.
  • Since RFC 8705 also supports self-signed certs, this mechanisms does not suffer from the typical headache a PKI has built in.
  • Certificate-based client authentication is a great basis for using OAuth in micro service architecture as it allows

Related gh-1558, gh-1559, gh-1560

tlodderstedt avatar Aug 21 '20 21:08 tlodderstedt

@jgrandja Has it already been assigned to someone? I'd like to give it a try.

pkostrzewa avatar Apr 09 '21 12:04 pkostrzewa

Thanks for the offer @pkostrzewa. I likely need to split this ticket up into 2 separate tasks. I'll get back to you sometime next week with a plan on how to implement this feature. Thanks!

jgrandja avatar Apr 12 '21 12:04 jgrandja

@pkostrzewa Apologies for the long delay in my response.

I'm going to be taking on this feature as part of a POC that I'll be starting next week. The POC involves integration with SPIFFE / SPIRE.

If there are any other tasks you're interested in please let me know.

jgrandja avatar May 20 '21 17:05 jgrandja

@jgrandja Yes, I can take something else.

pkostrzewa avatar May 21 '21 11:05 pkostrzewa

See sample implementation: https://github.com/jgrandja/spring-authorization-server/commits/springone-2021

jgrandja avatar Sep 22 '21 19:09 jgrandja

Hi @jgrandja, in which release we can expect this feature?

aphalke avatar Sep 30 '22 10:09 aphalke

@aphalke We'll target this feature in the 1.1.0 release, which is approx. 7 months out.

jgrandja avatar Oct 04 '22 21:10 jgrandja

This feature has been pushed to the 1.2.0 release, as we don't have enough time to get it into 1.1.0. It will be top priority for 1.2.0.

jgrandja avatar Apr 04 '23 15:04 jgrandja

@jgrandja Do you know which version of spring authorization server will support mtls?

ZuoJunLN avatar Oct 31 '23 18:10 ZuoJunLN

@ZuoJunLN We're releasing 1.2 Nov 21 and then will be planning 1.3. We will consider adding this feature but I'm not sure at this point as we already have quite a bit of work planned for 1.3.

jgrandja avatar Nov 01 '23 10:11 jgrandja

@jgrandja Thank you for your reply. May I inquire about the reason for this ticket being repeatedly postponed? It has been there for over three years. Is there a technical issue causing the delay, or is it simply a matter of other priorities taking precedence?

ZuoJunLN avatar Nov 01 '23 18:11 ZuoJunLN

@ZuoJunLN Other priorities have taken precedence. No technical issue. As well, we have limited resources on the team so it's tough getting all the features we want/need into a release.

jgrandja avatar Nov 02 '23 15:11 jgrandja

@jgrandja Understood. By the way, in order to support mTLS, The client will pass a client certificate to the server, How does the Spring Authorization Server handle the client certificate? Does it obtain the client certificate from the request header, or does it retrieve the client certificate from somewhere else?

ZuoJunLN avatar Nov 02 '23 17:11 ZuoJunLN

@ZuoJunLN It will check for the client certificate in the request. See sample implementation for details.

jgrandja avatar Nov 03 '23 12:11 jgrandja

Thanks for your recently update, when 1.3.0-M3 will be released? when 1.3.0 will be officially released?

ZuoJunLN avatar Mar 14 '24 14:03 ZuoJunLN

@ZuoJunLN Scheduled release dates are here

jgrandja avatar Mar 14 '24 15:03 jgrandja

@jgrandja In RFC 8705, it suggests that the Authorization Server should support a different token endpoint for each authentication method. Is this supported in this release?

ZuoJunLN avatar Mar 19 '24 14:03 ZuoJunLN

@jgrandja One more question about implementing this server: in RFC 8705, it states that the implementation of mutual-TLS for client authentication and mutual-TLS client certificate-bound access tokens can be done separately. Is this supported here?

ZuoJunLN avatar Mar 20 '24 13:03 ZuoJunLN

@ZuoJunLN This is not a support forum. We prefer to use GitHub issues only for bugs and enhancements. If you have specific questions or require support please direct it to Stack Overflow.

There are 3 issues that are linked to this issue and only one of them are complete now. There is more work to be done in the other 2 issues until this feature is complete. Until this feature is fully complete and we have provided reference documentation, it is up to you to look at the current code to see what is currently implemented.

jgrandja avatar Mar 20 '24 15:03 jgrandja

@tlodderstedt It's been a long time coming but I'm happy to share that this feature has been completed and will be released in 1.3 on May 21.

The Demo Sample shows how to configure the client for mTLS client authentication using both PKI and self-signed method.

I've split up this issue and associated tasks into 4 separate issues gh-1558, gh-1559, gh-1560 and gh-1561. I'll close this as a duplicate.

I still need to add reference documentation in gh-1561 before the release.

jgrandja avatar Apr 10 '24 09:04 jgrandja