Skip to content

Allow configuring custom validator for Jwt client assertion #643

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
atjohn-csam opened this issue Mar 7, 2022 · 5 comments
Closed

Allow configuring custom validator for Jwt client assertion #643

atjohn-csam opened this issue Mar 7, 2022 · 5 comments
Assignees
@jgrandja
Labels
status: duplicate A duplicate of another issue

Comments

@atjohn-csam
Copy link

Expected Behavior
It would be great if we could add a custom claim validator for client authentication using JWT assertion. This will allow additional validations to be done on the jwt assertion authentication.

Current Behavior
Right now for client authentication using JWT Assertion, DelegatingOAuth2TokenValidator comes with the default validators: return new DelegatingOAuth2TokenValidator<>(
new JwtClaimValidator<>(JwtClaimNames.ISS, clientId::equals),
new JwtClaimValidator<>(JwtClaimNames.SUB, clientId::equals),
new JwtClaimValidator<>(JwtClaimNames.AUD, containsProviderAudience()),
new JwtClaimValidator<>(JwtClaimNames.EXP, Objects::nonNull),
new JwtTimestampValidator()

Context
In this implementation, the clients will send JWT assertions with custom claims which I am planning to validate before issuing the access token. I haven't found away to configure this.
@atjohn-csam atjohn-csam added the type: enhancement A general enhancement label Mar 7, 2022
@jgrandja jgrandja changed the title Client authentication with JWT assertion : Provide adding custom jwt claim validator Allow configuring custom validator for Jwt client assertion Mar 11, 2022
@jgrandja
Copy link
Collaborator

Thanks for the request @atjohn-csam. We'll look at adding this customization hook.

@atjohn-csam
Copy link
Author

Hi @jgrandja Can I work on this feature?

I am thinking of introducing DefaultJwtAssetionValidatorFactory to JwtClientAssertionAuthenticationProvider which will have the set of existing validators (new JwtClaimValidator<>(JwtClaimNames.ISS, clientId::equals),
new JwtClaimValidator<>(JwtClaimNames.SUB, clientId::equals),
new JwtClaimValidator<>(JwtClaimNames.AUD, containsProviderAudience()),
new JwtClaimValidator<>(JwtClaimNames.EXP, Objects::nonNull),
new JwtTimestampValidator()), along with a new optional JwtClaimValidator which the user can configure. Is this how you envisioned this to be done?

@jgrandja
Copy link
Collaborator

Thanks for your interest @atjohn-csam.

We're holding off on adding new features and enhancements until after we release 0.3.0.

Our top priority for 0.3.0 is to deliver the initial version of the reference documentation.
We still have a lot of work to do so we need to keep focused.

Please reach out again after 0.3.0 is released May 23.

@Shryne Shryne mentioned this issue May 31, 2022
Closed
@jgrandja
Copy link
Collaborator

Related gh-897

@jgrandja jgrandja mentioned this issue Oct 4, 2022
Closed
@jgrandja
Copy link
Collaborator

@atjohn-csam This is now resolved via gh-944. Please see comment.

Closing this as a duplicate.

@jgrandja jgrandja self-assigned this Oct 27, 2022
@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed type: enhancement A general enhancement labels Oct 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jgrandja @atjohn-csam