I have created the Spring Authorization Server which issues JWT-s and a Resource Server which checks the JWT, its claims and permissions on the Authorization Server. To do so, I have followed this article.
My question is why I need to send the Authorization header with HTTP Basic authorization and Base64 encoded username/password (ClientId:ClientSecret) in get token request? I have seen JWT implementations where only username and password are required.
It is part of the specification, see RFC 6749:
2.3 Client Authentication
If the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server. The authorization server MAY accept any form of client authentication meeting its security requirements.
Confidential clients are typically issued (or establish) a set of client credentials used for authenticating with the authorization server (e.g., password, public/private key pair).
The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.
The client MUST NOT use more than one authentication method in each request.
By default Spring Security OAuth 2.0 protects the token endpoint, see OAuth 2 Developers Guide:
The token endpoint is protected for you by default by Spring OAuth in the
@Configurationsupport using HTTP Basic authentication of the client secret.
But it seems, that you can disable the client authentication:
That is the structure of the JWT token:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
As you are doing a JWT implementation all the 3 parts must be there: header.payload.secret
Maybe in the implementation you have seen - the server was working with Default Secret
来源:https://stackoverflow.com/questions/43388546/jwt-with-spring-oauth2