Skip to content

Fix DPoP jkt claim to be JWK SHA-256 thumbprint #17080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Fix DPoP jkt claim to be JWK SHA-256 thumbprint #17080

wants to merge 2 commits into from

Conversation

dkowis
Copy link
Contributor

@dkowis dkowis commented May 8, 2025

This is the proper implementation for a JWK Thumbprint. Spring Security was doing a Certificate Thumbprint, which is correct for ath claims to verify the certificate used in the JWK, but it's not correct for a DPoP verification jkt claim.

Resolves #17079

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 8, 2025
@dkowis dkowis force-pushed the jwk-thumbprint-fix branch from 37b16fa to 4d330cf Compare May 8, 2025 17:36
dkowis added 2 commits May 8, 2025 12:37
@dkowis
Fix JWK Thumbprint calculation to conform to RFC7638
195e4a4 
Just used the nimbus JOSE library to do it, because it already has a
compliant implementation.

Signed-off-by: David Kowis <[email protected]>
@dkowis
Removed unused hash calculation
45f5232 
The other method remains for the `ath` claims

Signed-off-by: David Kowis <[email protected]>
@dkowis dkowis force-pushed the jwk-thumbprint-fix branch from 4d330cf to 45f5232 Compare May 8, 2025 17:37
@jgrandja jgrandja changed the title Jwk thumbprint fix Fix DPoP jkt claim to be JWK SHA-256 thumbprint May 13, 2025
@jgrandja jgrandja self-assigned this May 13, 2025
@jgrandja jgrandja added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels May 13, 2025
@jgrandja jgrandja added this to the 6.5.0 milestone May 13, 2025
@jgrandja jgrandja added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label May 13, 2025
@jgrandja jgrandja mentioned this pull request May 13, 2025
Closed
jgrandja pushed a commit that referenced this pull request May 13, 2025
@dkowis @jgrandja
Fix DPoP jkt claim to be JWK SHA-256 thumbprint
2090f44 
Just used the nimbus JOSE library to do it, because it already has a
compliant implementation.

Closes gh-17080

Signed-off-by: David Kowis <[email protected]>
jgrandja added a commit that referenced this pull request May 13, 2025
@jgrandja
Polish gh-17080
a265ac6
@jgrandja jgrandja closed this in 462e38c May 13, 2025
jgrandja added a commit that referenced this pull request May 13, 2025
@jgrandja
Polish gh-17080
44303d2
@jgrandja
Copy link
Contributor

@dkowis Thank you for catching this! This is now merged along with a minor polish commit.

@jgrandja jgrandja mentioned this pull request May 13, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Projects
None yet
Milestone
6.5.0
Development

Successfully merging this pull request may close these issues.

DPoP JWK Thumbprint validation does not conform to RFC7638
3 participants
@dkowis @jgrandja @spring-projects-issues