JWT with Spring OAuth2
I created a Spring authorization server that issues JWT servers and a resource server that validates the JWT, its claims and permissions on the authorization server. To do this, I followed this article .
My question is, why do I need to send the header Authorization
using HTTP Basic Authorization and Base64 encoded username / password (ClientId: ClientSecret) in receiving the token request? I've seen JWT implementations where only username and password are required.
source to share
This is part of the specification, see RFC 6749 :
2.3 Client Authentication
If the client type is confidential, the client and the authorization server set the client authentication method to match the security requirements of the authorization server. An authorization server MAY accept any form of client authentication that satisfies its security requirements.
Confidential clients typically issue (or set) a set of client credentials used to authenticate with the authorization server (for example, a password, public / private key pair).
An authorization server MAY establish a client authentication method with public clients. However, the authorization server MUST NOT rely on public client authentication to identify the client.
A client MUST NOT use more than one authentication method per request.
By default, Spring Security OAuth 2.0 secures the token endpoint, see the OAuth 2 Developer's Guide :
The token endpoint is secured for you by default with Spring OAuth in support
@Configuration
using HTTP client authentication.
But it looks like you can turn off client authentication:
source to share
This is the JWT token structure:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
As you are doing a JWT implementation all the 3 parts must be there: header.payload.secret
Perhaps in the implementation you saw - the server was running with Default Secret
source to share