Skip to content

Issue of private_key_jwt authentication type token issuance (JwtClientAssertionAuthenticationConverter) #16945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dev-jsshin opened this issue Apr 16, 2025 · 0 comments
Open

Issue of private_key_jwt authentication type token issuance (JwtClientAssertionAuthenticationConverter) #16945

dev-jsshin opened this issue Apr 16, 2025 · 0 comments
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug

Comments

@dev-jsshin
Copy link

Logic within Jwt Client AuthenticationConverter

f you look at the token issuance logic of the private_key_jwt authentication type,
It says to send client_id as a parameter.

If you only look at the RFC 7523 standard, a separate client_id parameter is not required because it identifies the client with an iss/sub claim within the client_assertion.

It seems that branch processing is required for each type of authentication.

 @Nullable
    public Authentication convert(HttpServletRequest request) {
        MultiValueMap<String, String> parameters = OAuth2EndpointUtils.getFormParameters(request);
        if (parameters.getFirst("client_assertion_type") != null && parameters.getFirst("client_assertion") != null) {
            String clientAssertionType = (String)parameters.getFirst("client_assertion_type");
            if (((List)parameters.get("client_assertion_type")).size() != 1) {
                throw new OAuth2AuthenticationException("invalid_request");
            } else if (!JWT_CLIENT_ASSERTION_AUTHENTICATION_METHOD.getValue().equals(clientAssertionType)) {
                return null;
            } else {
                String jwtAssertion = (String)parameters.getFirst("client_assertion");
                if (((List)parameters.get("client_assertion")).size() != 1) {
                    throw new OAuth2AuthenticationException("invalid_request");
                } else {
                    String clientId = (String)parameters.getFirst("client_id");  // <========== this line.
                    if (StringUtils.hasText(clientId) && ((List)parameters.get("client_id")).size() == 1) {
                        Map<String, Object> additionalParameters = OAuth2EndpointUtils.getParametersIfMatchesAuthorizationCodeGrantRequest(request, new String[]{"client_assertion_type", "client_assertion", "client_id"});
                        return new OAuth2ClientAuthenticationToken(clientId, JWT_CLIENT_ASSERTION_AUTHENTICATION_METHOD, jwtAssertion, additionalParameters);
                    } else {
                        throw new OAuth2AuthenticationException("invalid_request");
                    }
                }
            }
        } else {
            return null;
        }
    }
@dev-jsshin dev-jsshin added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dev-jsshin