Giters

spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.

Home Page:http://github.com/spring-projects/spring-security-oauth

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Spring ignores JKWS that use "key_ops" attribute instead of "use" attribute

gubespam opened this issue · comments

commented

Reopening #1871

When working with a JWK key that supplies the "key_ops" attribute instead of the "use" attribute, Spring Security skips over the key and does not use it, which results in authentication failures when this key is needed for token verification.

For example:

{ "keys": [ { "kty": "RSA", "x5t#S256": "...", "e": "...", "x5t": "...", "kid": "SIGNING_KEY", "x5c": [ "...", "..." ], "key_ops": [ "encrypt", "verify" ], "alg": "RS256", "n": "..." } ] }

See org.springframework.security.oauth2.provider.token.store.jwk.JwkDefinitionSource

This is in part due to

// gh-1082 - skip arrays such as x5c as we can't deal with them yet
if (parser.nextToken() == JsonToken.START_ARRAY) {

which skips the key_ops attribute.

Then later only the "use" attribute is examined, not the "key_ops" attribute.

JwkDefinition.PublicKeyUse publicKeyUse =
    JwkDefinition.PublicKeyUse.fromValue(attributes.get(PUBLIC_KEY_USE));
if (!JwkDefinition.PublicKeyUse.SIG.equals(publicKeyUse)) {
    continue;
}

I think the correct behavior is for Spring to examine the values in key_ops when "use" is not present. Note that these two attributes have a different set of expected values. See pages 6 and 7 of the spec here.

commented

I believe the mapping from "key_ops" values to "use" value would be something like this:

"sign" => "sig"
"verify" => "sig"
"encrypt" => "enc"
"decrypt" => "enc"
commented

@gubespam The initial (and current) implementation of JwkTokenStore does not provide full support for all possible JWK parameters, including key_ops. This would be an enhancement.

However, are you aware that this project is nearing end-of-life? Please see this announcement.

Are you able to consider/switch to the OAuth support in Spring Security?

See the reference for client support and resource server support.

commented

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

commented

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.