JWT with Spring OAuth2

ⅰ亾dé卋堺 提交于 2019-12-01 22:01:57
dur

It is part of the specification, see RFC 6749:

2.3 Client Authentication

If the client type is confidential, the client and authorization server establish a client authentication method suitable for the security requirements of the authorization server. The authorization server MAY accept any form of client authentication meeting its security requirements.

Confidential clients are typically issued (or establish) a set of client credentials used for authenticating with the authorization server (e.g., password, public/private key pair).

The authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication for the purpose of identifying the client.

The client MUST NOT use more than one authentication method in each request.

By default Spring Security OAuth 2.0 protects the token endpoint, see OAuth 2 Developers Guide:

The token endpoint is protected for you by default by Spring OAuth in the @Configuration support using HTTP Basic authentication of the client secret.

But it seems, that you can disable the client authentication:

That is the structure of the JWT token:

HMACSHA256(
      base64UrlEncode(header) + "." +
      base64UrlEncode(payload),
    secret

    )


As you are doing a JWT implementation all the 3 parts must be there: header.payload.secret

Maybe in the implementation you have seen - the server was working with Default Secret

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!