OIDC Login Module with JWT token support#6304
Conversation
| * is a specific type of proof from RFC 7515 (JSON Web Signature (JWS)) and represents an SHA-256 digest | ||
| * of DER encoded certificate ("x5" = X.509, "t" = thumbprint).</p> | ||
| */ | ||
| private boolean requireOAuth2MTLS; |
There was a problem hiding this comment.
I think this config should be to disable the check, and should be off by default. Then the behaviour is to validated any tls claim that is in the token. To my mind, this means that we respect those tokens by defailt and if they are present (the token should be used with mtls, and the option is not disabled and the connection does not have a matching cert, we fail.
There was a problem hiding this comment.
I'll rephrase the option and change the tests soon.
There was a problem hiding this comment.
just a thought, but would disableRfc7800ProofOfPosessionCheck ? I think the attribute should be self describing, so long as it is correct/accurate
There was a problem hiding this comment.
RFC 7800 is more generic (cnf - confirmation claim) and RFC 8705 is more specific (cnf/x5t and cnf/x57#256). Naming is hard ;)
I'll think about something.
But I already thought about this matrix:
| TLS off | mTLS disabled | mTLS optional | mTLS required | |
|---|---|---|---|---|
no cnf/x5t |
fine | fine | ? | ? |
matching cnf/x5t |
? | ? | fine | fine |
different cnf/x5t (than in mTLS) |
? | ? | error | error |
3rd dimension would be the state (which impacts the name) of the option ;)
There was a problem hiding this comment.
when the config is to disable, then the options are reduced. When it is enabled, there must be mtls and the matching rfc8705 token element to succeed. when disabled, it is just ignored.
There was a problem hiding this comment.
ok, I mis understood, the idea is to have a more protective config, that will only accept tokens with the cert hash, so requireRfc8706 is appropriate and your existing name may be better. oath2mtlsPinning maybe?
* support for fetching OIDC metadata * caching and handling JWK keys * JAAS Login module that verifies claims and JWT signature * extensive test coverage * based on JDK HTTP Client * JAAS string-based configuration (etc/login.config)
grgrzybek
force-pushed
the
oidc
branch
2 times, most recently
from
e1fe94a to
56f6c4f
Compare
ARTEMIS-5200 Adjust OSGi headers and features for artemis-server-osgi
2 participants
No description provided.