spring-projects
Adopt RFC7523bis for OAuth2 JWT Client Authentication
The Updates to OAuth 2.0 JSON Web Token (JWT) Client Authentication and Assertion-Based Authorization Grants (RFC7523bis) updated the recommendations for "audience values in OAuth 2.0 Client Assertion Authentication and Assertion-based Authorization Grants to address a security vulnerability identified in the previous requirements for those audience values in multiple OAuth 2.0 specifications". The previous recommendations were part of RFC7523.
In particular, there are two aspects encoded in the NimbusJwtClientAuthenticationParametersConverter that could be considered changing to adopt the new recommendations. They are both easily addressable through a Customizer, so there's no problem from that point of view. I'm raising this issue more to consider the default behaviour.
Audience
The aud claim is currently set to the Token URI. According to the new recommendations, it must be set to the Issuer URI instead (paragraph 4).
See https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/NimbusJwtClientAuthenticationParametersConverter.java#L144
Client Assertion Type
The typ claim is not currently set. According to the new recommendations, it must be set to client-authentication+jwt or "another more specific explicit type value defined by a specification profiling this specification".
I wonder if it would make sense to set client-authentication+jwt as the default value.
Context
I'm working with the OAuth2 Client Credentials flow, integrating with OAuth2 Authorization Providers using JWT bearers as the client authentication strategy.
@ThomasVitale Thanks for keeping track to the updates in RFC7523.
I would be in favour of making the necessary changes after the draft has been accepted. Let's keep track of the draft progress.
N.B. typ is not a claim. It is a header parameter. It should not be set in the body of the token.
