Consider enabling key selection by JWT
JWSKeySelector
takes a JWSHeader
, which is enough to do key selection in most cases.
However, it's tricky in the multi-tenant situation, where an application has several issuer endpoints to select from.
Several Spring Security users have requested this feature of being able to determine the key set based on the "iss" claim. If the list of issuers is whitelisted by the recipient, then I don't believe this presents a security issue.
If there were a way for the Nimbus API to change and allow a configuration point that accepted the entire JWT
instead of just the JWSHeader
, offering this feature would be greatly simplified.
For example, an application could then easily do something like:
public class IssuerBasedJWTKeySelector implements JWTKeySelector {
Map<String, JWSKeySelector> selectors;
List<? extends Key> selectKeys(final JWT jwt, final C context) {
String issuer = jwt.getClaimsSet().getIssuer();
JWSKeySelector selector = selectors.get(issuer);
return selector.selectJWSKeys(jwt.getHeader(), context);
}
}
Some requesters of this feature have thousands of tenants, so likely their solution would not be in-memory like this, but my point is that taking the JWT
instead of just the JWSHeader
would enable this kind of flexibility.
The existing method is already GA, and it's nice that it's compatible with lambdas, so I'd suggest introducing a new interface called JWTKeySelector
. DefaultJWTProcessor
could take a JWTKeySelector
, the default implementation being that it would call down to the configured JWSKeySelector
:
private JWSKeySelector jwsKeySelector;
private JWTKeySelector signedJWTKeySelector = new JWTKeySelector() {
public List<? extends Key> selectKeys(final JWT jwt, ...) {
// ...
return jwsKeySelector.selectJWSKeys(jwt.getHeader() ...
}
}
void setSignedJWTKeySelector(JWTKeySelector selector) ...
If this makes sense, then I'd be happy to provide a PR to implement it.
I personally don't see a lot of value in doing the same thing for JWE tokens, but I'd be happy to include that in the PR, if you think it's important.
Comments (3)
-
-
I’ve opened a PR, in case you’d like a concrete view of what I’m thinking: https://bitbucket.org/connect2id/nimbus-jose-jwt/pull-requests/54/introduce-joseobjectkeyselector/diff
-
- changed status to resolved
Implemented in 7.3
- Log in to comment
For reference, this topic has been discussed on Spring Security’s issuer tracker in https://github.com/spring-projects/spring-security/issues/6778 and https://github.com/spring-projects/spring-security/issues/5351