Skip to content

Fix DPoP jkt claim to be JWK SHA-256 thumbprint#17080

Closed
dkowis wants to merge 2 commits intospring-projects:mainfrom
dkowis:jwk-thumbprint-fix
Closed

Fix DPoP jkt claim to be JWK SHA-256 thumbprint#17080
dkowis wants to merge 2 commits intospring-projects:mainfrom
dkowis:jwk-thumbprint-fix

Conversation

@dkowis
Copy link
Copy Markdown
Contributor

@dkowis dkowis commented May 8, 2025

This is the proper implementation for a JWK Thumbprint. Spring Security was doing a Certificate Thumbprint, which is correct for ath claims to verify the certificate used in the JWK, but it's not correct for a DPoP verification jkt claim.

Resolves #17079

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 8, 2025
@dkowis dkowis force-pushed the jwk-thumbprint-fix branch from 37b16fa to 4d330cf Compare May 8, 2025 17:36
dkowis added 2 commits May 8, 2025 12:37
@dkowis
Fix JWK Thumbprint calculation to conform to RFC7638
195e4a4 
Just used the nimbus JOSE library to do it, because it already has a
compliant implementation.

Signed-off-by: David Kowis <[email protected]>
@dkowis
Removed unused hash calculation
45f5232 
The other method remains for the `ath` claims

Signed-off-by: David Kowis <[email protected]>
@dkowis dkowis force-pushed the jwk-thumbprint-fix branch from 4d330cf to 45f5232 Compare May 8, 2025 17:37
@jgrandja jgrandja changed the title Jwk thumbprint fix Fix DPoP jkt claim to be JWK SHA-256 thumbprint May 13, 2025
@jgrandja jgrandja self-assigned this May 13, 2025
@jgrandja jgrandja added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels May 13, 2025
@jgrandja jgrandja added this to the 6.5.0 milestone May 13, 2025
@jgrandja jgrandja added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label May 13, 2025
@jgrandja jgrandja mentioned this pull request May 13, 2025
Closed
jgrandja pushed a commit that referenced this pull request May 13, 2025
@dkowis @jgrandja
Fix DPoP jkt claim to be JWK SHA-256 thumbprint
2090f44 
Just used the nimbus JOSE library to do it, because it already has a
compliant implementation.

Closes gh-17080

Signed-off-by: David Kowis <[email protected]>
jgrandja added a commit that referenced this pull request May 13, 2025
@jgrandja
Polish gh-17080
a265ac6
@jgrandja jgrandja closed this in 462e38c May 13, 2025
jgrandja added a commit that referenced this pull request May 13, 2025
@jgrandja
Polish gh-17080
44303d2
@jgrandja
Copy link
Copy Markdown
Contributor

jgrandja commented May 13, 2025

@dkowis Thank you for catching this! This is now merged along with a minor polish commit.

@jgrandja jgrandja mentioned this pull request May 13, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jgrandja jgrandja

Labels

in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug

Projects

None yet

Milestone

6.5.0

Development

Successfully merging this pull request may close these issues.

DPoP JWK Thumbprint validation does not conform to RFC7638

3 participants

@dkowis @jgrandja @spring-projects-issues