Add support for OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens #101
Comments
|
@jgrandja Has it already been assigned to someone? I'd like to give it a try. |
|
Thanks for the offer @pkostrzewa. I likely need to split this ticket up into 2 separate tasks. I'll get back to you sometime next week with a plan on how to implement this feature. Thanks! |
|
@pkostrzewa Apologies for the long delay in my response. I'm going to be taking on this feature as part of a POC that I'll be starting next week. The POC involves integration with SPIFFE / SPIRE. If there are any other tasks you're interested in please let me know. |
|
@jgrandja Yes, I can take something else. |
|
See sample implementation: |
|
Hi @jgrandja, in which release we can expect this feature? |
|
@aphalke We'll target this feature in the |
|
This feature has been pushed to the |
|
@jgrandja Do you know which version of spring authorization server will support mtls? |
|
@ZuoJunLN We're releasing |
|
@jgrandja Thank you for your reply. May I inquire about the reason for this ticket being repeatedly postponed? It has been there for over three years. Is there a technical issue causing the delay, or is it simply a matter of other priorities taking precedence? |
|
@ZuoJunLN Other priorities have taken precedence. No technical issue. As well, we have limited resources on the team so it's tough getting all the features we want/need into a release. |
|
@jgrandja Understood. By the way, in order to support mTLS, The client will pass a client certificate to the server, How does the Spring Authorization Server handle the client certificate? Does it obtain the client certificate from the request header, or does it retrieve the client certificate from somewhere else? |
|
@ZuoJunLN It will check for the client certificate in the request. See sample implementation for details. |
|
Thanks for your recently update, when 1.3.0-M3 will be released? when 1.3.0 will be officially released? |
|
@jgrandja In RFC 8705, it suggests that the Authorization Server should support a different token endpoint for each authentication method. Is this supported in this release? |
|
@jgrandja One more question about implementing this server: in RFC 8705, it states that the implementation of mutual-TLS for client authentication and mutual-TLS client certificate-bound access tokens can be done separately. Is this supported here? |
|
@ZuoJunLN This is not a support forum. We prefer to use GitHub issues only for bugs and enhancements. If you have specific questions or require support please direct it to Stack Overflow. There are 3 issues that are linked to this issue and only one of them are complete now. There is more work to be done in the other 2 issues until this feature is complete. Until this feature is fully complete and we have provided reference documentation, it is up to you to look at the current code to see what is currently implemented. |
|
@tlodderstedt It's been a long time coming but I'm happy to share that this feature has been completed and will be released in The Demo Sample shows how to configure the client for mTLS client authentication using both PKI and self-signed method. I've split up this issue and associated tasks into 4 separate issues gh-1558, gh-1559, gh-1560 and gh-1561. I'll close this as a duplicate. I still need to add reference documentation in gh-1561 before the release. |
Expected Behavior
Support for RFC 8705 would allows clients to authenticate using TLS certificates and to bind access tokens to such certificates.
Current Behavior
Addition of client authentication with public client crypto increases the security capabilities of this project.
Context
There are several advantages:
Related gh-1558, gh-1559, gh-1560
The text was updated successfully, but these errors were encountered: