Support OAuth2 client authentication using X.509 certificate

[jgrandja]

The client should have the ability to authenticate with the Authorization Server using X.509 certificate.

See RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

** UPDATE ** (April 23, 2024):

Closing this issue as there are no enhancements required to the framework code as mTLS client authentication is possible by simply configuring the underlying HTTP Client.

The various OAuth2AccessTokenResponseClient implementations already expose a setRestOperations(RestOperations restOperations) method and it is the applications responsibility to configure RestTemplate and it's associated ClientHttpRequestFactory to provide HTTPS-enabled connectors. This is typically configured using a KeyStore that contains the client's X509Certificate.

The same rules apply for WebClient, as the application is responsible for configuring the underlying ClientHttpConnector.

See the Demo Sample in Spring Authorization Server, as the demo-client sample provides example configurations for RestTemplate and WebClient using a keystore.p12 file.

[myspri]

Hello @jgrandja, I have been talking to some security experts(OpenID/OAuth2 spec writers) and got the feedback that using MTLS is the most desirable form of client authentication.

https://tools.ietf.org/html/draft-ietf-oauth-mtls-03

Was wondering if this is still in your radar.
Thanks!

[jgrandja]

@myspri Apologize for the delayed response. Yes, we are still planning on implementing this feature. However, we have not scheduled it as of yet.

[hablutzel1]

Note that the spec has became the standard RFC 8705, "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens".

In the other hand, there are already some open source implementations like the one from IdentityServer4 (see https://github.com/IdentityServer/IdentityServer4/tree/master/samples/Clients/src/ConsoleMTLSClient).

[maskedpirate]

Any updates on if this has been scheduled?

[rwinch]

@maskedpirate No updates. Would you be interested in submitting a pull request?

[praveenbommali]

any update !!!

[greghall76]

I'd love to hear an update on this. I'm interested in running in OpenShift w/ their internal OAuth server. From looking at their oauth-proxy sidecar, I believe OpenShift's OAuth server is expecting a k8s service account client crt as the auth method.

[rwinch]

No updates at this time.

[magnuskkarlsson]

I think I got it to work in Spring Boot 3

All feedback are welcome!

You need to set

spring.security.oauth2.client.registration.keycloak.client-authentication-method = none

so you send client_id in request body, otherwise will the Authorization Server never know from which client the request comes from.

Then add custom truststore and keystore for accessTokenResponseClient. The solution is quite long since Apache HttpComponents HttpClient, ignores standard Java truststore (-Djavax.net.ssl.trustStore) and keystore (-Djavax.net.ssl.keyStore). Otherwise we would be done by only setting client-authentication-method = none

`
@bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http //
...
.oauth2Client(oauth2Client -> oauth2Client //
.authorizationCodeGrant(authorizationCodeGrant -> authorizationCodeGrant //
.accessTokenResponseClient(this.accessTokenResponseClient())));
return http.build();
}

private OAuth2AccessTokenResponseClient<OAuth2AuthorizationCodeGrantRequest> accessTokenResponseClient() {
    DefaultAuthorizationCodeTokenResponseClient accessTokenResponseClient = new DefaultAuthorizationCodeTokenResponseClient();

    // org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient
    RestTemplate restTemplate = new RestTemplate(
            Arrays.asList(new FormHttpMessageConverter(), new OAuth2AccessTokenResponseHttpMessageConverter()));
    restTemplate.setErrorHandler(new OAuth2ErrorResponseErrorHandler());
    try {
        // https://github.com/apache/httpcomponents-client/blob/5.2.x/httpclient5/src/test/java/org/apache/hc/client5/http/examples/ClientCustomSSL.java
        SSLContext sslContext = new SSLContextBuilder() //
                .loadKeyMaterial(Path.of(keyStore), keyStorePassword.toCharArray(), keyStorePassword.toCharArray()) //
                .loadTrustMaterial(Path.of(trustStore), trustStorePassword.toCharArray()) //
                .build();

        final SSLConnectionSocketFactory sslSocketFactory = SSLConnectionSocketFactoryBuilder.create() //
                .setSslContext(sslContext) //
                .build();

        final HttpClientConnectionManager cm = PoolingHttpClientConnectionManagerBuilder.create() //
                .setSSLSocketFactory(sslSocketFactory) //
                .build();

        CloseableHttpClient httpClient = HttpClients.custom() //
                .setConnectionManager(cm) //
                .build();

        // "uses https://hc.apache.org/httpcomponents-client-ga Apache HttpComponents HttpClient to create requests"
        ClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
        restTemplate.setRequestFactory(requestFactory);
    } catch (Exception e) {
        e.printStackTrace();
    }
    accessTokenResponseClient.setRestOperations(restTemplate);
    return accessTokenResponseClient;
}

`

Complete example https://github.com/magnuskkarlsson/spring-boot-3-oauth2-login-keycloak-mtls

[magnuskkarlsson]

I concluded wrong about Apache HttpClient v5 and org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient

It does not ignore Java truststore (-Djavax.net.ssl.trustStore) and keystore (-Djavax.net.ssl.keyStore) and hence all that is required for mTLS Access Token Request in Authorization Code Flow are:

spring.security.oauth2.client.registration.keycloak.client-authentication-method = none
and java -Djavax.net.ssl.trustStore -Djavax.net.ssl.keyStore ... -jar myjar.jar

[jgrandja]

Closing. Please see comment for update.