- changed status to open
Nimbus 8+ prevent auto-discover mechanism in Keycloak 15
Issue #377
invalid
We are using the latest Spring Security 5.4.9 that relies still on the latest 8+ Nimbus Library and it is affected by this bug.
The bug has been fixed in Nimbus version 9+ and it would be good to have the changes backported to version 8+ and released so that we can upgrade our Spring Security installation.
In detail:
RFC 8705
(https://datatracker.ietf.org/doc/html/rfc8705)) introduces a new mechanism that allows OAuth2 servers to bind tokens to certificates used by OAuth2 clients making mutual TLS connections. For this purpose, this RFC introduces an optional metadata field calledmtls_endpoint_aliases
that allow clients to discover the special end points when making mutual TLS connections.- The
com.nimbusds:oauth2-oidc-sdk:jar:8.36.2
library which an upstream dependency of the Spring Security does not correctly parse the value of themtls_endpoint_aliases
field..)
Thanks a lot for your attention.
Comments (3)
-
-
I also backported the
JSONObjectUtils.parse
test from 9.x, again no issues. Note that the bug that you reference was caused due to a incomplete upgrade to Nimbus JOSE+JWT 9.0 in SDK v 9.0.If we are able to confirm this I will push a fix for you so you can continue work on your project.
-
- changed status to invalid
No feedback / reproduction, closing.
- Log in to comment
Hi,
Could you post a concrete Java test that demonstrates the issue? I backported the following test and it ran without issues:
https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/commits/515a28d6b9284e6e2acc8d974f72eb5e1a272cc1