rlewczuk
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimAccessor.java
+24 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimAccessor.java
+24
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimNames.java
+14 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientMetadataClaimNames.java
+14
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientRegistration.java
+24 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcClientRegistration.java
+24
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationProvider.java
+52-9 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientAuthenticationProvider.java
+52-9
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/RegisteredClientJwtAssertionDecoderFactory.java
+155 b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/RegisteredClientJwtAssertionDecoderFactory.java
+155
@@ -99,6 +99,20 @@ default String getTokenEndpointAuthenticationMethod() {
 		return getClaimAsString(OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHOD);
 	}
 
+	/**
+	 * Returns the {@link SignatureAlgorithm JWS} algorithm that must be used for signing the JWT used to authenticate
+	 * the Client at the Token Endpoint for the {@code private_key_jwt} and {@code client_secret_jwt} authentication
+	 * methods {@code (token_endpoint_auth_signing_alg)}
+	 *
+	 * @return the {@link SignatureAlgorithm JWS} algorithm that must be used for signing the JWT used to authenticate
+	 * 	       the Client at the Token Endpoint for the {@code private_key_jwt} and {@code client_secret_jwt}
+	 * 	       authentication methods {@code (token_endpoint_auth_signing_alg)}
+	 * @since 0.2.1
+	 */
+	default String getTokenEndpointAuthenticationSigningAlgorithm() {
+		return getClaimAsString(OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_SIGNING_ALG);
+	}
+
 	/**
 	 * Returns the OAuth 2.0 {@code grant_type} values that the Client will restrict itself to using {@code (grant_types)}.
 	 *
@@ -155,4 +169,14 @@ default URL getRegistrationClientUrl() {
 		return getClaimAsURL(OidcClientMetadataClaimNames.REGISTRATION_CLIENT_URI);
 	}
 
+	/**
+	 * Returns {@code URL} for the Client's JSON Web Key Set {@code (jwks_uri)}
+	 *
+	 * @return {@code URL} for the Client's JSON Web Key Set {@code (jwks_uri)}
+	 * @since 0.2.1
+	 */
+	default URL getJwkSetUrl() {
+		return getClaimAsURL(OidcClientMetadataClaimNames.JWKS_URI);
+	}
+
 }
@@ -16,6 +16,7 @@
 package org.springframework.security.oauth2.core.oidc;
 
 import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
 
 /**
  * The names of the "claims" defined by OpenID Connect Dynamic Client Registration 1.0
@@ -95,4 +96,17 @@ public interface OidcClientMetadataClaimNames {
 	 */
 	String REGISTRATION_CLIENT_URI = "registration_client_uri";
 
+	/**
+	 * {@code jwks_uri} - {@code URL} for the Client's JSON Web Key Set
+	 * @since 0.2.1
+	 */
+	String JWKS_URI = "jwks_uri";
+
+	/**
+	 * {@code token_endpoint_auth_signing_alg} - {@link SignatureAlgorithm JWS} algorithm that must be used for signing
+	 * the JWT used to authenticate the Client at the Token Endpoint for the {@code private_key_jwt} and {@code client_secret_jwt}
+	 * authentication methods
+	 * @since 0.2.1
+	 */
+	String TOKEN_ENDPOINT_AUTH_SIGNING_ALG = "token_endpoint_auth_signing_alg";
 }
@@ -172,6 +172,20 @@ public Builder tokenEndpointAuthenticationMethod(String tokenEndpointAuthenticat
 			return claim(OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHOD, tokenEndpointAuthenticationMethod);
 		}
 
+		/**
+		 * Sets the {@link SignatureAlgorithm JWS} algorithm that must be used for signing the JWT used to authenticate
+		 * the Client at the Token Endpoint for the {@code private_key_jwt} and {@code client_secret_jwt} authentication
+		 * methods
+		 * @param signingAlgorithm the {@link SignatureAlgorithm JWS} algorithm that must be used for signing
+		 *        the JWT used to authenticate the Client at the Token Endpoint for the {@code private_key_jwt} and
+		 *        {@code client_secret_jwt} authentication methods
+		 * @return the {@link Builder} for further configuration
+		 * @since 0.2.1
+		 */
+		public Builder tokenEndpointAuthenticationSigningAlgorithm(String signingAlgorithm) {
+			return claim(OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_SIGNING_ALG, signingAlgorithm);
+		}
+
 		/**
 		 * Add the OAuth 2.0 {@code grant_type} that the Client will restrict itself to using, OPTIONAL.
 		 *
@@ -273,6 +287,16 @@ public Builder registrationClientUrl(String registrationClientUrl) {
 			return claim(OidcClientMetadataClaimNames.REGISTRATION_CLIENT_URI, registrationClientUrl);
 		}
 
+		/**
+		 * Sets {@code URL} for the Client's JSON Web Key Set {@code (jwks_uri)}
+		 * @param jwksSetUrl {@code URL} for the Client's JSON Web Key Set {@code (jwks_uri)}
+		 * @return the {@link Builder} for further configuration
+		 * @since 0.2.1
+		 */
+		public Builder jwkSetUrl(String jwksSetUrl) {
+			return claim(OidcClientMetadataClaimNames.JWKS_URI, jwksSetUrl);
+		}
+
 		/**
 		 * Sets the claim.
 		 *
 
@@ -20,24 +20,31 @@
 import java.security.NoSuchAlgorithmException;
 import java.util.Base64;
 import java.util.Map;
+import java.util.Set;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.core.OAuth2TokenType;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.endpoint.PkceParameterNames;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
+import org.springframework.security.oauth2.jwt.JwtException;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
+import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 
@@ -56,9 +63,14 @@
  */
 public final class OAuth2ClientAuthenticationProvider implements AuthenticationProvider {
 	private static final String CLIENT_AUTHENTICATION_ERROR_URI = "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-01#section-3.2.1";
+
+	static final ClientAuthenticationMethod CLIENT_ASSERTION_AUTHENTICATION_METHOD =
+			new ClientAuthenticationMethod("urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
+
 	private static final OAuth2TokenType AUTHORIZATION_CODE_TOKEN_TYPE = new OAuth2TokenType(OAuth2ParameterNames.CODE);
 	private final RegisteredClientRepository registeredClientRepository;
 	private final OAuth2AuthorizationService authorizationService;
+	private JwtDecoderFactory<RegisteredClient> decoderFactory;
 	private PasswordEncoder passwordEncoder;
 
 	/**
@@ -89,6 +101,15 @@ public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
 		this.passwordEncoder = passwordEncoder;
 	}
 
+	void setDecoderFactory(JwtDecoderFactory<RegisteredClient> decoderFactory) {
+		this.decoderFactory = decoderFactory;
+	}
+
+	@Autowired(required = false)
+	protected void setProviderSettings(ProviderSettings providerSettings) {
+		this.decoderFactory = new RegisteredClientJwtAssertionDecoderFactory(providerSettings);
+	}
+
 	@Override
 	public Authentication authenticate(Authentication authentication) throws AuthenticationException {
 		OAuth2ClientAuthenticationToken clientAuthentication =
@@ -100,19 +121,41 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			throwInvalidClient(OAuth2ParameterNames.CLIENT_ID);
 		}
 
-		if (!registeredClient.getClientAuthenticationMethods().contains(
-				clientAuthentication.getClientAuthenticationMethod())) {
+		ClientAuthenticationMethod clientAuthentiationMethod = clientAuthentication.getClientAuthenticationMethod();
+		Set<ClientAuthenticationMethod> allowedAuthenticationMethods = registeredClient.getClientAuthenticationMethods();
+
+		if (!allowedAuthenticationMethods.contains(clientAuthentiationMethod)
+			&& !(CLIENT_ASSERTION_AUTHENTICATION_METHOD.equals(clientAuthentiationMethod)
+				&& (allowedAuthenticationMethods.contains(ClientAuthenticationMethod.CLIENT_SECRET_JWT)
+					|| allowedAuthenticationMethods.contains(ClientAuthenticationMethod.PRIVATE_KEY_JWT)))) {
+			throwInvalidClient("authentication_method");
+		}
+
+		if (CLIENT_ASSERTION_AUTHENTICATION_METHOD.equals(clientAuthentiationMethod) && this.decoderFactory == null) {
+			// Decoder not present -> authentication method not supported
 			throwInvalidClient("authentication_method");
 		}
 
 		boolean credentialsAuthenticated = false;
 
-		if (clientAuthentication.getCredentials() != null) {
-			String clientSecret = clientAuthentication.getCredentials().toString();
-			if (!this.passwordEncoder.matches(clientSecret, registeredClient.getClientSecret())) {
-				throwInvalidClient(OAuth2ParameterNames.CLIENT_SECRET);
+		if (CLIENT_ASSERTION_AUTHENTICATION_METHOD.equals(clientAuthentiationMethod)) {
+			// PRIVATE_KEY_JWT or CLIENT_SECRET_JWT authentication methods
+			try {
+				JwtDecoder jwtDecoder = this.decoderFactory.createDecoder(registeredClient);
+				jwtDecoder.decode(clientAuthentication.getCredentials().toString());
+				credentialsAuthenticated = true;
+			} catch (JwtException e) {
+				throwInvalidClient(OAuth2ParameterNames.CLIENT_ASSERTION);
+			}
+		} else {
+			// CLIENT_SECRET_BASIC or CLIENT_SECRET_POST authentication methods
+			if (clientAuthentication.getCredentials() != null) {
+				String clientSecret = clientAuthentication.getCredentials().toString();
+				if (!this.passwordEncoder.matches(clientSecret, registeredClient.getClientSecret())) {
+					throwInvalidClient(OAuth2ParameterNames.CLIENT_SECRET);
+				}
+				credentialsAuthenticated = true;
 			}
-			credentialsAuthenticated = true;
 		}
 
 		boolean pkceAuthenticated = authenticatePkceIfAvailable(clientAuthentication, registeredClient);
@@ -122,7 +165,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		}
 
 		return new OAuth2ClientAuthenticationToken(registeredClient,
-				clientAuthentication.getClientAuthenticationMethod(), clientAuthentication.getCredentials());
+				clientAuthentiationMethod, clientAuthentication.getCredentials());
 	}
 
 	@Override
@@ -193,7 +236,7 @@ private static boolean codeVerifierValid(String codeVerifier, String codeChallen
 		throw new OAuth2AuthenticationException(OAuth2ErrorCodes.SERVER_ERROR);
 	}
 
-	private static void throwInvalidClient(String parameterName) {
+	static void throwInvalidClient(String parameterName) {
 		OAuth2Error error = new OAuth2Error(
 				OAuth2ErrorCodes.INVALID_CLIENT,
 				"Client authentication failed: " + parameterName,
 
@@ -0,0 +1,155 @@
+/*
+ * Copyright 2020-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.server.authorization.authentication;
+
+import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
+import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
+import org.springframework.security.oauth2.jose.jws.JwsAlgorithm;
+import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
+import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.config.ClientSettings;
+import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
+import org.springframework.util.Assert;
+
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Objects;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * Creates JWT decoders for registered clients
+ *
+ * @author Rafal Lewczuk
+ * @since 0.2.1
+ */
+final class RegisteredClientJwtAssertionDecoderFactory implements JwtDecoderFactory<RegisteredClient> {
+
+	private static final Map<String, String> JCA_ALGORITHM_MAPPINGS;
+
+	static {
+		Map<String, String> mappings = new HashMap<>();
+		mappings.put(JwsAlgorithms.HS256, "HmacSHA256");
+		mappings.put(JwsAlgorithms.HS384, "HmacSHA384");
+		mappings.put(JwsAlgorithms.HS512, "HmacSHA512");
+		JCA_ALGORITHM_MAPPINGS = Collections.unmodifiableMap(mappings);
+	}
+
+	private final Map<String, CachedJwtDecoder> cachedDecoders = new ConcurrentHashMap<>();
+	private final ProviderSettings providerSettings;
+
+	RegisteredClientJwtAssertionDecoderFactory(ProviderSettings providerSettings) {
+		Assert.notNull(providerSettings, "providerSettings cannot be null");
+		this.providerSettings = providerSettings;
+	}
+
+	@Override
+	public JwtDecoder createDecoder(RegisteredClient registeredClient) {
+		Assert.notNull(registeredClient, "registeredClient cannot be null");
+
+		JwsAlgorithm signingAlgorithm = registeredClient.getClientSettings().getTokenEndpointSigningAlgorithm();
+		boolean isHmac = signingAlgorithm instanceof MacAlgorithm;
+
+		// No fancy .computerIfAbsent() calls as we need to check if client configuration has changed
+		// also this is idempotent operation so we don't have to care about exact synchronization
+		CachedJwtDecoder cachedDecoder = this.cachedDecoders.get(registeredClient.getClientId());
+		if (cachedDecoder != null) {
+			ClientSettings clientSettings = cachedDecoder.registeredClient.getClientSettings();
+			ClientSettings cachedSettings = registeredClient.getClientSettings();
+			if (isHmac) {
+				if (Objects.equals(cachedSettings.getTokenEndpointSigningAlgorithm(), clientSettings.getTokenEndpointSigningAlgorithm())
+						&& Objects.equals(cachedDecoder.registeredClient.getClientSecret(), registeredClient.getClientSecret())) {
+					return cachedDecoder.jwtDecoder;
+				}
+			} else {
+				if (Objects.equals(cachedSettings.getTokenEndpointSigningAlgorithm(), clientSettings.getTokenEndpointSigningAlgorithm())
+					&& Objects.equals(cachedSettings.getJwkSetUrl(), clientSettings.getJwkSetUrl())) {
+					return cachedDecoder.jwtDecoder;
+				}
+			}
+		}
+
+		cachedDecoder = isHmac ? createClientSecretJwtDecoder(registeredClient, (MacAlgorithm) signingAlgorithm)
+				: createPrivateKeyJwtDecoder(registeredClient, (SignatureAlgorithm) signingAlgorithm);
+
+		this.providerSettings.getTokenEndpoint();
+		cachedDecoder.jwtDecoder.setJwtValidator(
+				new RegisteredClientJwtAssertionValidator(registeredClient, this.providerSettings));
+		this.cachedDecoders.put(registeredClient.getClientId(), cachedDecoder);
+		return cachedDecoder.jwtDecoder;
+	}
+
+	private CachedJwtDecoder createClientSecretJwtDecoder(RegisteredClient registeredClient, MacAlgorithm macAlgorithm) {
+		NimbusJwtDecoder jwtDecoder = null;
+		if (!registeredClient.getClientAuthenticationMethods().contains(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
+			OAuth2ClientAuthenticationProvider.throwInvalidClient(OAuth2ParameterNames.CLIENT_ASSERTION);
+		}
+
+		if (registeredClient.getClientSecret() == null || registeredClient.getClientSecret().isEmpty()) {
+			OAuth2ClientAuthenticationProvider.throwInvalidClient(OAuth2ParameterNames.CLIENT_ASSERTION);
+		}
+
+		try {
+			byte[] secret = registeredClient.getClientSecret().getBytes(StandardCharsets.UTF_8);
+			String algorithmName = JCA_ALGORITHM_MAPPINGS.get(macAlgorithm.getName());
+			SecretKeySpec secretKey = new SecretKeySpec(secret, algorithmName);
+			NimbusJwtDecoder.SecretKeyJwtDecoderBuilder jwtDecoderBuilder = NimbusJwtDecoder.withSecretKey(secretKey)
+					.macAlgorithm(macAlgorithm);
+			jwtDecoder = jwtDecoderBuilder.build();
+		} catch (Exception e) {
+			OAuth2ClientAuthenticationProvider.throwInvalidClient(OAuth2ParameterNames.CLIENT_ASSERTION);
+		}
+		return new CachedJwtDecoder(jwtDecoder, registeredClient);
+	}
+
+	private CachedJwtDecoder createPrivateKeyJwtDecoder(RegisteredClient registeredClient, SignatureAlgorithm signatureAlgorithm) {
+		NimbusJwtDecoder jwtDecoder = null;
+		if (!registeredClient.getClientAuthenticationMethods().contains(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
+			OAuth2ClientAuthenticationProvider.throwInvalidClient(OAuth2ParameterNames.CLIENT_ASSERTION);
+		}
+
+		String jwksUrl = registeredClient.getClientSettings().getJwkSetUrl();
+		if (jwksUrl == null) {
+			OAuth2ClientAuthenticationProvider.throwInvalidClient(OAuth2ParameterNames.CLIENT_ASSERTION);
+		}
+
+		try {
+			NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder jwtDecoderBuilder = NimbusJwtDecoder.withJwkSetUri(jwksUrl)
+					.jwsAlgorithm(signatureAlgorithm);
+			jwtDecoder = jwtDecoderBuilder.build();
+		} catch (Exception e) {
+			OAuth2ClientAuthenticationProvider.throwInvalidClient(OAuth2ParameterNames.CLIENT_ASSERTION);
+		}
+		return new CachedJwtDecoder(jwtDecoder, registeredClient);
+	}
+
+	private static class CachedJwtDecoder {
+		private final NimbusJwtDecoder jwtDecoder;
+		private final RegisteredClient registeredClient;
+
+		CachedJwtDecoder(NimbusJwtDecoder jwtDecoder, RegisteredClient registeredClient) {
+			this.jwtDecoder = jwtDecoder;
+			this.registeredClient = registeredClient;
+		}
+	}
+}