Enhance OAuth2TokenExchangeAuthenticationProvider to support additional trusted issuers #1867
Comments
Can you please say more about why you feel the current provider constrains token exchange? Have you explored adding additional parameters to the request? What would be needed that isn't currently possible to support multiple IdPs? |
|
Apologies @joshuawhite929 if my above response is confusing, I was thinking about this from the Spring Security (client) side. Please feel free to share any supporting information or an example you are thinking about for supporting multiple IdPs on the server side. However, please consider that the initial implementation was intentionally limited to a single IdP so we could have more conversation prior to targeting more advanced features such as this one. |
jgrandja
added
the
status: waiting-for-feedback
|
I am definitely interested in the server side piece of this. I am currently on vacation and will be back with more detailed comments on Friday. |
spring-projects-issues
added
status: feedback-provided
jgrandja
added
status: waiting-for-feedback
|
My companies OSS process is taking longer than I anticipated. Would you prefer to wait or close this issue and have me open another when ready? |
spring-projects-issues
added
status: feedback-provided
|
Hi @joshuawhite929.
That depends I suppose. You wouldn't need to provide anything specific to your internal environment, I am just looking for some details on a use case at a high (e.g. abstract) level. In the opening comment you mention:
If you can add more clarity around the details of what you're requesting here (a specific use case), that would be helpful since I'm not sure I have enough information from that statement to determine what enhancement would be targeted by this issue. If you feel you're unable to provide additional details at the moment, then I think we should close this ticket for now as I feel it is not actionable. Does that make sense? |
sjohnr
added
status: waiting-for-feedback
|
I am looking to use a JWT as a authorization grant to obtain an access token from a different authorization server. Today, the Spring Authorization Server assumes that the JWT specified by the subject_token/actor_token originates from itself. To facilitate a cross-domain token exchange, I am hoping to validate/trust a JWT from a different issuer. Does this make sense? I believe this is briefly mentioned in the spec:
|
spring-projects-issues
added
status: feedback-provided
It is hinted at in the spec as you mentioned there, but it unfortunately does not spell out any details for how such a use case would work. I think that the spec is both broad and narrow, broad in the sense that many combinations of request parameters are technically valid, but narrow in the sense that very few such combinations have clearly defined behavior. Beyond the basic use cases supported by the initial implementation, we quickly run out of clear usage patterns. My interpretation of the spec is that these other use cases could be defined by a specific implementation of a purpose-built security token service (STS) that clearly documents the use case(s) it intends to solve, what requests or parameter combinations are valid, what out-of-band setup is required to use them, etc. The use case you mention:
...is still very general and while it might make sense, we would need a more specific use case to determine whether it makes sense for the framework to support it. I think there are still a variety of use cases that could be possible based on the broad definitions found in the spec. So focusing on what you have provided for the moment:
Simply validating an input token is not quite enough. There are certain outputs that we expect from this process. Currently, we can obtain all the information needed from the Some details are just used for additional validation, so they could be kept internal to the implementation. Beyond that, we need to know what "principal" (or end user) is represented by the combination of a subject token and an optional actor token. This whole process would end up being fairly generic and would probably look a lot like the existing If we do all of that, we still wouldn't have enough information to interpret the various allowed combinations of parameters in the request. For example, what if we want to support two issuers? What about a multi-tenant setup? Do we support combinations of internal subjects and external actors or vice versa? And what policies or validation are needed in each case? All of this would need to be accounted for, and would likely result in a fairly complex setup. For now, I think just referencing the docs for how to implement an extension grant type and plugging in a custom What do you think? |
|
I will look into this and get back to you |
|
IMHO - 95% of the existing code/tests can be reused. I'm thinking that the only difference would be the "strategy" used to validate/authenticate the subject and actor tokens. If we prefer to have this implemented in a different AuthenticationProvider class, can we consider pushing 95% of the code into an perhaps use a template method to validate/authenticate the subject and actor tokens? Thoughts on this approach? |
Expected Behavior
OAuth2TokenExchangeAuthenticationProvider should be enhanced to support subject/actor tokens from other trusted issuers
Current Behavior
Today, OAuth2TokenExchangeAuthenticationProvider validates/authorizes the subject/actor token by looking for the JWT in the configured OAuth2AuthorizationService. Additional trusted issuers are not supported in the current implementation.
Context
The current OAuth2TokenExchangeAuthenticationProvider constrains token exchange process to a single IDP. I believe the spirit of RFC 8693 is to also enable token exchange across security domains.
If this is something that the team is willing to support, I have a working example of how OAuth2TokenExchangeAuthenticationProvider could be modified to support this need.
CC: @sjohnr , @jgrandja
The text was updated successfully, but these errors were encountered: