Skip to content

Add resource server support for multiple trusted JWT access token issuers #5385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dyroberts opened this issue May 25, 2018 · 8 comments
Closed

Add resource server support for multiple trusted JWT access token issuers #5385

dyroberts opened this issue May 25, 2018 · 8 comments
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.3.0.M1

Comments

@dyroberts
Copy link

Summary

Add resource server support for multiple trusted JWT access token issuers

Actual Behavior

Presently we can configure a resource server's trusted jwt token issuer like:

security.oauth2.resource.jwt.keyUri=...
or
security.oauth2.resource.jwk.keySetUri=...

Expected Behavior

I'd like to suggest supporting something like (switching to yml):

security:
  oauth2:
    resource:
      issuers:
        issuer1:
          keyUri: ...
          issuerClaim: ...
        issuer2:
          keySetUri: ...
        issuer3:
          keyValue: ...

Note the optional issuerClaim for verification against the 'iss' claim, optionally.
@jgrandja jgrandja added New Feature in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) labels May 26, 2018
@jgrandja jgrandja added this to the 5.1.0.M2 milestone May 26, 2018
@jgrandja jgrandja mentioned this issue May 26, 2018
Closed
@jgrandja
Copy link
Contributor

jgrandja commented Jun 1, 2018

The key question to ask the UAA team is the kid unique across identity zones?

@jgrandja jgrandja modified the milestones: 5.1.0.M2, 5.1.0.RC1 Jul 25, 2018
@jgrandja jgrandja modified the milestones: General Backlog, 5.2.x Oct 19, 2018
@jgrandja jgrandja mentioned this issue Feb 28, 2019
Merged
@jgrandja
Copy link
Contributor

@jzheaux Has this been solved via #5351?

@jzheaux
Copy link
Contributor

jzheaux commented Apr 25, 2019

@jgrandja good question - it's certainly possible via #5351 but it would not be very efficient. The resulting AuthenticationManagerResolver would need to parse the JWT and select the appropriate JwtAuthenticationManager instance accordingly, at which point it would be parsed again by the underlying JwtDecoder.

It seems to me that a JwtDecoder implementation may be better suited for this use case.

The AuthenticationManagerResolver is suitable for aspects of the request that are immediately obtainable, like a path, a header, or a subdomain.

@jzheaux jzheaux mentioned this issue Apr 25, 2019
Closed
@rwinch rwinch added type: enhancement A general enhancement and removed New Feature labels May 3, 2019
@jzheaux jzheaux mentioned this issue Dec 19, 2019
Merged
@jzheaux jzheaux modified the milestones: 5.2.x, 5.3.0.M1 Jan 8, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Jan 8, 2020
edited
Loading

Fixed via de87675

@jzheaux jzheaux closed this as completed Jan 8, 2020
@cadethacker
Copy link

cadethacker commented Jul 8, 2021
edited
Loading

Sorry to comment on an older issue, but one point of confusion. The OP asked about defining multiple authorization services via the yaml/config. I spent a good bit of time coding up support by using the docs (very good BTW) and it works, but...

I still didn't see a clear answer in this issue on if the yaml/config support multiple authorization server by issuer yet as per the OP question. I know I can code it, but can I config it :D

EDIT: I found this documention but it only mentioned being able to define a single issuer in the yaml. Spring Boot 2.5.2 docs

@jzheaux
Copy link
Contributor

jzheaux commented Jul 12, 2021

@cadethacker you are correct, YAML config is not supported for multiple issuers.

@cadethacker
Copy link

huge thank you @jzheaux for the clarification. Is there a correct way to request this as a feature? I think this would be a great addition to Spring Security especially in the awesome work for the entire 5 series. I'm happy to hack on it, but no clue where to start. If you can give me a compass heading and a shove in the right direction.

@jzheaux
Copy link
Contributor

jzheaux commented Jul 12, 2021

YAML configuration falls under the Spring Boot project, so you'd file an issue there.

That said, we usually try and reserve YAML to common use cases, and multi-tenancy for resource servers doesn't yet seem common enough. Moreover, multi-tenancy is often highly proprietary; I imagine that more often than not applications will need to use a bean anyway, e.g. so that they can load settings from a database.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.3.0.M1
Development

No branches or pull requests
5 participants
@rwinch @jzheaux @jgrandja @cadethacker @dyroberts