Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: prepare for private_key_jwt in oauth_client_details #2433

Merged
merged 10 commits into from
Sep 14, 2023
Merged

refactor: prepare for private_key_jwt in oauth_client_details #2433

merged 10 commits into from
Sep 14, 2023

Conversation

strehle
Copy link
Member

@strehle strehle commented Aug 7, 2023
edited
Loading

BaseClientDetails from spring security oauth2 cannot be changed, therefore move to UaaClientDetails for client details load

Add new column : client_jwt_config

The content of client_jwt_config will be JSON . The PR #2449 will make use of this

The client jwt authentication is based on JsonWebKey trust. See https://datatracker.ietf.org/doc/html/rfc7517
The internal store can contain either.

  • jwks: similar to that what you see in /token_key or /token_keys of your own UAA but the real JSON content.
  • jwks_uri: is the URL to a remove jwks_uri e.g. http://localhost:8080/uaa/token_key(s)

The idea is, that with such a trust you can now configure in your zone1 a client with jwks_uri pointing to system zone, e.g. http://localhost:8080/uaa/token_keys . Now you define a OIDC identity provider object with jwtClientAuthentication: true and your set in tokenKeyUrl the other jwks_uri, e.g. http://zone.localhost:8080/uaa/token_keys

Now you have jwt based client authentication between zones: uaa and zone.
You can also add other clients in customer zone where client trust is set to http://localhost:8080/uaa/token_keys (system uaa zone) and then you do other calls but the client in the customer zone always trusts your system zone, even if you update your own JWT signing keys.

@strehle
refactor: prepare for private_key_jwt in oauth_client_details
5f72461 
BaseClientDetails from spring security oauth2 cannot be changed, therefore more to UaaClientDetails for client details load
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/185779265

The labels on this github issue will be updated when the story is started.

@strehle strehle requested review from Tallicia and a team August 8, 2023 08:29
@strehle strehle mentioned this pull request Aug 8, 2023
Closed
@strehle strehle added this to the feature - private_key_jwt milestone Aug 19, 2023
@strehle strehle requested a review from bruce-ricard August 23, 2023 16:37
@strehle
Copy link
Member Author

strehle commented Aug 23, 2023

@Tallicia @bruce-ricard can you please review this PR ?
In meeting we have decided to go for option 1, (own DB column) but then BaseClientDetails (from spring securit oauth2) cannot be used anymore but I have to move to own Class as abstraction for DB table oauth_client_details Is the Name UaaClientDetails Ok with you ?

@strehle strehle mentioned this pull request Aug 24, 2023
Closed
@strehle strehle mentioned this pull request Aug 24, 2023
Merged
strehle added 2 commits August 25, 2023 13:32
@strehle
Merge branch 'develop' of github.com:cloudfoundry/uaa into feature/is…
62025d8 
…sue/2235/refactorClient
@strehle
remove not needed method.
aace8e0 
Even if UaaClientDetails is used the addClientDetails method can be used and therefore it does not make sense to have 2 add methods
@strehle strehle added the in_review The PR is currently in review label Aug 25, 2023
@strehle strehle merged commit 819d274 into develop Sep 14, 2023
@strehle strehle deleted the feature/issue/2235/refactorClient branch September 14, 2023 09:06
@strehle strehle removed the in_review The PR is currently in review label Sep 14, 2023
strehle added a commit that referenced this pull request Sep 27, 2023
@strehle
feature: add runtime support for private_key_jwt client authentication
eebcc48 
More details in #2449, in #2433 as this PR include #2433. -> because to have smaller review packages

Enable the validation of client_assertion as replacement for client_secret
Add private_key_jwt as client_auth_method into tokens.
@strehle strehle mentioned this pull request Sep 27, 2023
Merged
strehle added a commit that referenced this pull request Oct 12, 2023
@strehle
feature: add runtime support for private_key_jwt client authentication (
2658f90 
#2507)

* feature: add runtime support for private_key_jwt client authentication

More details in #2449, in #2433 as this PR include #2433. -> because to have smaller review packages

Enable the validation of client_assertion as replacement for client_secret
Add private_key_jwt as client_auth_method into tokens.

* review

* fix smells from sonar

https://sonarcloud.io/summary/new_code?id=cloudfoundry-identity-parent&pullRequest=2507
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hsinn0 hsinn0 hsinn0 approved these changes

@tack-sap tack-sap tack-sap approved these changes

@Tallicia Tallicia Awaiting requested review from Tallicia

@bruce-ricard bruce-ricard Awaiting requested review from bruce-ricard

@torsten-sap torsten-sap Awaiting requested review from torsten-sap

@adrianhoelzl-sap adrianhoelzl-sap Awaiting requested review from adrianhoelzl-sap

Assignees
No one assigned
Labels
None yet
Projects
Foundational Infrastructure Working Group
Archived in project
Milestone
feature - private_key_jwt
Development

Successfully merging this pull request may close these issues.
5 participants
@strehle @cf-gitbot @tack-sap @hsinn0 @adrianhoelzl-sap