spring-authorization-server
spring-authorization-server copied to clipboard
spring-projects
Support JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
Expected Behavior There is a new IETF specification for JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens which has already been approved by the IESG and will be published as final RFC very soon. This specification aims to provide a standardized and interoperable profile as an alternative to the proprietary JWT access token layouts going forward. This adds the following details for compliant JWT access tokens:
- JWT access tokens MUST include "at+jwt" in the "typ" header parameter to explicitly declare that the JWT represents an access token
- JWT access tokens require at least the following claims: iss, exp, aud, sub, client_id, iat, jti
- Claims for Authorization are standardized using "roles", "groups", "entitlements" as defined in RFC7643
At least, it should be configurable to issue JWT access tokens supporting this new standardization effort.
Current Behavior Currently, JWT access tokens issued are not following/supporting this new specification
Context Note: I also added an issue to the spring security project (https://github.com/spring-projects/spring-security/issues/10272) for documenting the required configuration to validate such tokens as part of the reference docs.
good , I'm really looking forward to it.
Recently, I have been thinking about how to use what I have to achieve the effect of JWT, but I am not very satisfied.
Thanks @andifalk ! We'll look at implementing this in one of the upcoming releases.
Most of the required claims are there, except for client_id and jti.
public class Customizer implements OAuth2TokenCustomizer<JwtEncodingContext> {
@Override
public void customize(JwtEncodingContext context) {
context.getClaims()
.id(UuidUtils.randomUuid())
.claim("client_id",
context.getRegisteredClient()
.getClientId());
}
}
