Client authentication with JWT assertion

Closes spring-projectsgh-59

Author: rlewczuk

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimAccessor.java

@@ -99,6 +99,20 @@ default String getTokenEndpointAuthenticationMethod() {
 		return getClaimAsString(OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHOD);
 	}
 
+	/**
+	 * Returns the {@link SignatureAlgorithm JWS} algorithm that must be used for signing the JWT used to authenticate
+	 * the Client at the Token Endpoint for the {@code private_key_jwt} and {@code client_secret_jwt} authentication
+	 * methods {@code (token_endpoint_auth_signing_alg)}
+	 *
+	 * @return the {@link SignatureAlgorithm JWS} algorithm that must be used for signing the JWT used to authenticate
+	 * 	       the Client at the Token Endpoint for the {@code private_key_jwt} and {@code client_secret_jwt}
+	 * 	       authentication methods {@code (token_endpoint_auth_signing_alg)}
+	 * @since 0.2.1
+	 */
+	default String getTokenEndpointAuthenticationSigningAlgorithm() {
+		return getClaimAsString(OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_SIGNING_ALG);
+	}
+
 	/**
 	 * Returns the OAuth 2.0 {@code grant_type} values that the Client will restrict itself to using {@code (grant_types)}.
 	 *
@@ -155,4 +169,14 @@ default URL getRegistrationClientUrl() {
 		return getClaimAsURL(OidcClientMetadataClaimNames.REGISTRATION_CLIENT_URI);
 	}
 
+	/**
+	 * Returns {@code URL} for the Client's JSON Web Key Set {@code (jwks_uri)}
+	 *
+	 * @return {@code URL} for the Client's JSON Web Key Set {@code (jwks_uri)}
+	 * @since 0.2.1
+	 */
+	default URL getJwkSetUrl() {
+		return getClaimAsURL(OidcClientMetadataClaimNames.JWKS_URI);
+	}
+
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimNames.java

@@ -16,6 +16,7 @@
 package org.springframework.security.oauth2.core.oidc;
 
 import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
 
 /**
  * The names of the "claims" defined by OpenID Connect Dynamic Client Registration 1.0
@@ -95,4 +96,17 @@ public interface OidcClientMetadataClaimNames {
 	 */
 	String REGISTRATION_CLIENT_URI = "registration_client_uri";
 
+	/**
+	 * {@code jwks_uri} - {@code URL} for the Client's JSON Web Key Set
+	 * @since 0.2.1
+	 */
+	String JWKS_URI = "jwks_uri";
+
+	/**
+	 * {@code token_endpoint_auth_signing_alg} - {@link SignatureAlgorithm JWS} algorithm that must be used for signing
+	 * the JWT used to authenticate the Client at the Token Endpoint for the {@code private_key_jwt} and {@code client_secret_jwt}
+	 * authentication methods
+	 * @since 0.2.1
+	 */
+	String TOKEN_ENDPOINT_AUTH_SIGNING_ALG = "token_endpoint_auth_signing_alg";
 }

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientRegistration.java

@@ -172,6 +172,20 @@ public Builder tokenEndpointAuthenticationMethod(String tokenEndpointAuthenticat
 			return claim(OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHOD, tokenEndpointAuthenticationMethod);
 		}
 
+		/**
+		 * Sets the {@link SignatureAlgorithm JWS} algorithm that must be used for signing the JWT used to authenticate
+		 * the Client at the Token Endpoint for the {@code private_key_jwt} and {@code client_secret_jwt} authentication
+		 * methods
+		 * @param signingAlgorithm the {@link SignatureAlgorithm JWS} algorithm that must be used for signing
+		 *        the JWT used to authenticate the Client at the Token Endpoint for the {@code private_key_jwt} and
+		 *        {@code client_secret_jwt} authentication methods
+		 * @return the {@link Builder} for further configuration
+		 * @since 0.2.1
+		 */
+		public Builder tokenEndpointAuthenticationSigningAlgorithm(String signingAlgorithm) {
+			return claim(OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, signingAlgorithm);
+		}
+
 		/**
 		 * Add the OAuth 2.0 {@code grant_type} that the Client will restrict itself to using, OPTIONAL.
 		 *
@@ -273,6 +287,16 @@ public Builder registrationClientUrl(String registrationClientUrl) {
 			return claim(OidcClientMetadataClaimNames.REGISTRATION_CLIENT_URI, registrationClientUrl);
 		}
 
+		/**
+		 * Sets {@code URL} for the Client's JSON Web Key Set {@code (jwks_uri)}
+		 * @param jwksSetUrl {@code URL} for the Client's JSON Web Key Set {@code (jwks_uri)}
+		 * @return the {@link Builder} for further configuration
+		 * @since 0.2.1
+		 */
+		public Builder jwkSetUrl(String jwksSetUrl) {
+			return claim(OidcClientMetadataClaimNames.JWKS_URI, jwksSetUrl);
+		}
+
 		/**
 		 * Sets the claim.
 		 *

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/http/converter/OidcClientRegistrationHttpMessageConverter.java

@@ -150,6 +150,8 @@ private MapOidcClientRegistrationConverter() {
 			claimConverters.put(OidcClientMetadataClaimNames.RESPONSE_TYPES, collectionStringConverter);
 			claimConverters.put(OidcClientMetadataClaimNames.SCOPE, MapOidcClientRegistrationConverter::convertScope);
 			claimConverters.put(OidcClientMetadataClaimNames.ID_TOKEN_SIGNED_RESPONSE_ALG, stringConverter);
+			claimConverters.put(OidcClientMetadataClaimNames.JWKS_URI, stringConverter);
+			claimConverters.put(OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, stringConverter);
 			this.claimTypeConverter = new ClaimTypeConverter(claimConverters);
 		}
 

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationProvider.java

@@ -20,24 +20,33 @@
 import java.security.NoSuchAlgorithmException;
 import java.util.Base64;
 import java.util.Map;
+import java.util.Set;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.OAuth2TokenType;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
+import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
+import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
+import org.springframework.security.oauth2.jwt.JwtException;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
@@ -56,9 +65,14 @@
  */
 public final class OAuth2ClientAuthenticationProvider implements AuthenticationProvider {
 	private static final String CLIENT_AUTHENTICATION_ERROR_URI = "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-01#section-3.2.1";
+
+	private static final ClientAuthenticationMethod JWT_CLIENT_ASSERTION_AUTHENTICATION_METHOD =
+			new ClientAuthenticationMethod("urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
+
 	private static final OAuth2TokenType AUTHORIZATION_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.CODE);
 	private final RegisteredClientRepository registeredClientRepository;
 	private final OAuth2AuthorizationService authorizationService;
+	private JwtDecoderFactory<RegisteredClient> decoderFactory;
 	private PasswordEncoder passwordEncoder;
 
 	/**
@@ -89,11 +103,29 @@ public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
 		this.passwordEncoder = passwordEncoder;
 	}
 
+	void setDecoderFactory(JwtDecoderFactory<RegisteredClient> decoderFactory) {
+		this.decoderFactory = decoderFactory;
+	}
+
+	@Autowired(required = false)
+	protected void setProviderSettings(ProviderSettings providerSettings) {
+		this.decoderFactory = new RegisteredClientJwtAssertionDecoderFactory(providerSettings);
+	}
+
 	@Override
 	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
 		OAuth2ClientAuthenticationToken clientAuthentication =
 				(OAuth2ClientAuthenticationToken) authentication;
 
+		return JWT_CLIENT_ASSERTION_AUTHENTICATION_METHOD.equals(clientAuthentication.getClientAuthenticationMethod()) ?
+				authenticateClientAssertion(authentication) :
+				authenticationClientCredentials(authentication);
+	}
+
+	private Authentication authenticationClientCredentials(Authentication authentication) throws AuthenticationException {
+		OAuth2ClientAuthenticationToken clientAuthentication =
+				(OAuth2ClientAuthenticationToken) authentication;
+
 		String clientId = clientAuthentication.getPrincipal().toString();
 		RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(clientId);
 		if (registeredClient == null) {
@@ -125,6 +157,47 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				clientAuthentication.getClientAuthenticationMethod(), clientAuthentication.getCredentials());
 	}
 
+	private Authentication authenticateClientAssertion(Authentication authentication) throws AuthenticationException {
+		OAuth2ClientAuthenticationToken clientAuthentication =
+				(OAuth2ClientAuthenticationToken) authentication;
+
+		String clientId = clientAuthentication.getPrincipal().toString();
+		RegisteredClient registeredClient = this.registeredClientRepository.findByClientId(clientId);
+		if (registeredClient == null) {
+			throwInvalidClient(OAuth2ParameterNames.CLIENT_ID);
+		}
+
+		Set<ClientAuthenticationMethod> allowedAuthenticationMethods = registeredClient.getClientAuthenticationMethods();
+
+		if (!allowedAuthenticationMethods.contains(ClientAuthenticationMethod.CLIENT_SECRET_JWT) &&
+				!allowedAuthenticationMethods.contains(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
+			throwInvalidClient("authentication_method");
+		}
+
+		boolean credentialsAuthenticated = false;
+
+		try {
+			JwtDecoder jwtDecoder = this.decoderFactory.createDecoder(registeredClient);
+			jwtDecoder.decode(clientAuthentication.getCredentials().toString());
+			credentialsAuthenticated = true;
+		} catch (JwtException e) {
+			throwInvalidClient(OAuth2ParameterNames.CLIENT_ASSERTION);
+		}
+
+		boolean pkceAuthenticated = authenticatePkceIfAvailable(clientAuthentication, registeredClient);
+		credentialsAuthenticated = credentialsAuthenticated || pkceAuthenticated;
+		if (!credentialsAuthenticated) {
+			throwInvalidClient("credentials");
+		}
+
+		JwsAlgorithm tokenEndpointSigningAlgorithm = registeredClient.getClientSettings().getTokenEndpointSigningAlgorithm();
+		ClientAuthenticationMethod clientAuthentiationMethod = tokenEndpointSigningAlgorithm instanceof MacAlgorithm ?
+				ClientAuthenticationMethod.CLIENT_SECRET_JWT : ClientAuthenticationMethod.PRIVATE_KEY_JWT;
+
+		return new OAuth2ClientAuthenticationToken(registeredClient,
+				clientAuthentiationMethod, clientAuthentication.getCredentials());
+	}
+
 	@Override
 	public boolean supports(Class<?> authentication) {
 		return OAuth2ClientAuthenticationToken.class.isAssignableFrom(authentication);

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/RegisteredClientJwtAssertionDecoderFactory.java

@@ -0,0 +1,149 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
+import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtClaimValidator;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
+import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.concurrent.ConcurrentHashMap;
+import java.util.function.Function;
+
+/**
+ * Creates JWT decoders for registered clients
+ *
+ * @author Rafal Lewczuk
+ * @since 0.2.1
+ */
+final class RegisteredClientJwtAssertionDecoderFactory implements JwtDecoderFactory<RegisteredClient> {
+
+	private static final String CLIENT_ASSERTION_ERROR_URI = "https://datatracker.ietf.org/doc/html/rfc7523#section-3";
+
+	private static final Map<JwsAlgorithm, String> JCA_ALGORITHM_MAPPINGS;
+
+	private final String tokenEndpointUri;
+
+	static {
+		Map<JwsAlgorithm, String> mappings = new HashMap<>();
+		mappings.put(MacAlgorithm.HS256, "HmacSHA256");
+		mappings.put(MacAlgorithm.HS384, "HmacSHA384");
+		mappings.put(MacAlgorithm.HS512, "HmacSHA512");
+		JCA_ALGORITHM_MAPPINGS = Collections.unmodifiableMap(mappings);
+	}
+
+	private final Function<RegisteredClient, JwsAlgorithm> jwsAlgorithmResolver =
+			rc -> rc.getClientSettings().getTokenEndpointSigningAlgorithm();
+
+	private final Map<String, CachedJwtDecoder> cachedDecoders = new ConcurrentHashMap<>();
+
+	RegisteredClientJwtAssertionDecoderFactory(ProviderSettings providerSettings) {
+		Assert.notNull(providerSettings, "providerSettings cannot be null");
+		this.tokenEndpointUri = providerSettings.getIssuer() + providerSettings.getTokenEndpoint();
+	}
+
+	@Override
+	public JwtDecoder createDecoder(RegisteredClient registeredClient) {
+		Assert.notNull(registeredClient, "registeredClient cannot be null");
+
+		CachedJwtDecoder cachedDecoder = this.cachedDecoders.get(registeredClient.getClientId());
+		if (cachedDecoder != null &&
+			Objects.equals(registeredClient.getClientSettings().getTokenEndpointSigningAlgorithm(),
+					cachedDecoder.registeredClient.getClientSettings().getTokenEndpointSigningAlgorithm()) &&
+			Objects.equals(cachedDecoder.registeredClient.getClientSecret(), registeredClient.getClientSecret()) &&
+			Objects.equals(registeredClient.getClientSettings().getJwkSetUrl(),
+					cachedDecoder.registeredClient.getClientSettings().getJwkSetUrl())) {
+			return cachedDecoder.jwtDecoder;
+		}
+
+		cachedDecoder = new CachedJwtDecoder(buildDecoder(registeredClient), registeredClient);
+		cachedDecoder.jwtDecoder.setJwtValidator(createTokenValidator(registeredClient));
+		this.cachedDecoders.put(registeredClient.getClientId(), cachedDecoder);
+		return cachedDecoder.jwtDecoder;
+	}
+
+	private NimbusJwtDecoder buildDecoder(RegisteredClient registeredClient) {
+		JwsAlgorithm jwsAlgorithm = this.jwsAlgorithmResolver.apply(registeredClient);
+
+		if (jwsAlgorithm != null && SignatureAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
+			String jwkSetUrl = registeredClient.getClientSettings().getJwkSetUrl();
+			if (!StringUtils.hasText(jwkSetUrl)) {
+				OAuth2Error oauth2Error = new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT,
+						"misconfigured client", CLIENT_ASSERTION_ERROR_URI);
+				throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
+			}
+			return NimbusJwtDecoder.withJwkSetUri(jwkSetUrl).jwsAlgorithm((SignatureAlgorithm) jwsAlgorithm).build();
+		}
+
+		if (jwsAlgorithm != null && MacAlgorithm.class.isAssignableFrom(jwsAlgorithm.getClass())) {
+			String clientSecret = registeredClient.getClientSecret();
+			if (!StringUtils.hasText(clientSecret)) {
+				OAuth2Error oauth2Error = new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT,
+						"misconfigured client", CLIENT_ASSERTION_ERROR_URI);
+				throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
+			}
+			SecretKeySpec secretKeySpec = new SecretKeySpec(clientSecret.getBytes(StandardCharsets.UTF_8),
+					JCA_ALGORITHM_MAPPINGS.get(jwsAlgorithm));
+			return NimbusJwtDecoder.withSecretKey(secretKeySpec).macAlgorithm((MacAlgorithm) jwsAlgorithm).build();
+		}
+
+		OAuth2Error oauth2Error = new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT,
+				"misconfigured client", CLIENT_ASSERTION_ERROR_URI);
+		throw new OAuth2AuthenticationException(oauth2Error, oauth2Error.toString());
+	}
+
+	private OAuth2TokenValidator<Jwt> createTokenValidator(RegisteredClient registeredClient) {
+		String clientId = registeredClient.getClientId();
+		return new DelegatingOAuth2TokenValidator<>(
+				new JwtClaimValidator<String>("iss", clientId::equals),      // RFC 7523 section 3 (iss)
+				new JwtClaimValidator<String>("sub", clientId::equals),      // RFC 7523 section 3 (sub)
+				new JwtClaimValidator<List<String>>("aud", l -> l.contains(tokenEndpointUri)), // RFC 7523 section 3 (aud)
+				new JwtClaimValidator<>("exp", Objects::nonNull),            // RFC 7523 section 3 (exp != null)
+				new JwtTimestampValidator()                                  // RFC 7523 section 3 (exp, nbf)
+		);
+	}
+
+	private static class CachedJwtDecoder {
+		private final NimbusJwtDecoder jwtDecoder;
+		private final RegisteredClient registeredClient;
+
+		CachedJwtDecoder(NimbusJwtDecoder jwtDecoder, RegisteredClient registeredClient) {
+			this.jwtDecoder = jwtDecoder;
+			this.registeredClient = registeredClient;
+		}
+	}
+}