Skip to content

Fix DPoP jkt claim to be JWK SHA-256 thumbprint #17080

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Fix DPoP jkt claim to be JWK SHA-256 thumbprint #17080

wants to merge 2 commits into from

Conversation

dkowis
Copy link
Contributor

@dkowis dkowis commented May 8, 2025

This is the proper implementation for a JWK Thumbprint. Spring Security was doing a Certificate Thumbprint, which is correct for ath claims to verify the certificate used in the JWK, but it's not correct for a DPoP verification jkt claim.

Resolves #17079

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 8, 2025
@dkowis dkowis force-pushed the jwk-thumbprint-fix branch from 37b16fa to 4d330cf Compare May 8, 2025 17:36
dkowis added 2 commits May 8, 2025 12:37
@dkowis
Fix JWK Thumbprint calculation to conform to RFC7638
195e4a4 
Just used the nimbus JOSE library to do it, because it already has a
compliant implementation.

Signed-off-by: David Kowis <david@kow.is>
@dkowis
Removed unused hash calculation
45f5232 
The other method remains for the `ath` claims

Signed-off-by: David Kowis <david@kow.is>
@dkowis dkowis force-pushed the jwk-thumbprint-fix branch from 4d330cf to 45f5232 Compare May 8, 2025 17:37
@jgrandja jgrandja changed the title Jwk thumbprint fix Fix DPoP jkt claim to be JWK SHA-256 thumbprint May 13, 2025
@jgrandja jgrandja self-assigned this May 13, 2025
@jgrandja jgrandja added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels May 13, 2025
@jgrandja jgrandja added this to the 6.5.0 milestone May 13, 2025
@jgrandja jgrandja added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label May 13, 2025
@jgrandja jgrandja mentioned this pull request May 13, 2025
Closed
jgrandja pushed a commit that referenced this pull request May 13, 2025
@dkowis @jgrandja
Fix DPoP jkt claim to be JWK SHA-256 thumbprint
2090f44 
Just used the nimbus JOSE library to do it, because it already has a
compliant implementation.

Closes gh-17080

Signed-off-by: David Kowis <david@kow.is>
jgrandja added a commit that referenced this pull request May 13, 2025
@jgrandja
Polish gh-17080
a265ac6
@jgrandja jgrandja closed this in 462e38c May 13, 2025
jgrandja added a commit that referenced this pull request May 13, 2025
@jgrandja
Polish gh-17080
44303d2
@jgrandja
Copy link
Contributor

@dkowis Thank you for catching this! This is now merged along with a minor polish commit.

@jgrandja jgrandja mentioned this pull request May 13, 2025
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Projects
None yet
Milestone
6.5.0
Development

Successfully merging this pull request may close these issues.

DPoP JWK Thumbprint validation does not conform to RFC7638
3 participants
@dkowis @jgrandja @spring-projects-issues