From 13c5c6efb14addd4c9f45aeb124bf54044d2526d Mon Sep 17 00:00:00 2001 From: Bikash Adhikari <77648128+bikash30851@users.noreply.github.com> Date: Thu, 4 May 2023 11:46:57 -0500 Subject: [PATCH 1/2] Document audience support in Oauth2 resource server See gh-35286 --- .../src/docs/asciidoc/web/spring-security.adoc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc index c544282a03..5ec07d7b03 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc @@ -223,7 +223,22 @@ Again, the same properties are applicable for both servlet and reactive applicat Alternatively, you can define your own `OpaqueTokenIntrospector` bean for servlet applications or a `ReactiveOpaqueTokenIntrospector` for reactive applications. +To enable audience validation, set the `configprop:spring.security.oauth2.resourceserver.jwt.audiences[]` property in your Spring Boot application +configuration file. This property specifies the expected value(s) of the aud claim in JWTs. +For example, to expect the JWTs to contain an aud claim with the value `my-audience`, you can add the following line to your +application.properties file: + +[source,yaml,indent=0,subs="verbatim",configprops,configblocks] +---- + spring: + security: + oauth2: + resourceserver: + jwt: + audiences: + - "my-audience" +---- [[web.security.oauth2.authorization-server]] ==== Authorization Server From f452a8617518184940c47d72116850af565362cf Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Thu, 25 May 2023 14:11:44 +0100 Subject: [PATCH 2/2] Polish "Document audience support in Oauth2 resource server" See gh-35286 --- .../docs/asciidoc/web/spring-security.adoc | 31 +++++++++---------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc index 5ec07d7b03..011a570c1c 100644 --- a/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc +++ b/spring-boot-project/spring-boot-docs/src/docs/asciidoc/web/spring-security.adoc @@ -201,8 +201,21 @@ For JWT configuration, a JWK Set URI or OIDC Issuer URI needs to be specified, a NOTE: If the authorization server does not support a JWK Set URI, you can configure the resource server with the Public Key used for verifying the signature of the JWT. This can be done using the configprop:spring.security.oauth2.resourceserver.jwt.public-key-location[] property, where the value needs to point to a file containing the public key in the PEM-encoded x509 format. -The same properties are applicable for both servlet and reactive applications. +The configprop:spring.security.oauth2.resourceserver.jwt.audiences[] property can be used to specifify the expected values of the aud claim in JWTs. +For example, to require JWTs to contain an aud claim with the value `my-audience`: +[source,yaml,indent=0,subs="verbatim",configprops,configblocks] +---- + spring: + security: + oauth2: + resourceserver: + jwt: + audiences: + - "my-audience" +---- + +The same properties are applicable for both servlet and reactive applications. Alternatively, you can define your own `JwtDecoder` bean for servlet applications or a `ReactiveJwtDecoder` for reactive applications. In cases where opaque tokens are used instead of JWTs, you can configure the following properties to validate tokens through introspection: @@ -220,25 +233,9 @@ In cases where opaque tokens are used instead of JWTs, you can configure the fol ---- Again, the same properties are applicable for both servlet and reactive applications. - Alternatively, you can define your own `OpaqueTokenIntrospector` bean for servlet applications or a `ReactiveOpaqueTokenIntrospector` for reactive applications. -To enable audience validation, set the `configprop:spring.security.oauth2.resourceserver.jwt.audiences[]` property in your Spring Boot application -configuration file. This property specifies the expected value(s) of the aud claim in JWTs. - -For example, to expect the JWTs to contain an aud claim with the value `my-audience`, you can add the following line to your -application.properties file: -[source,yaml,indent=0,subs="verbatim",configprops,configblocks] ----- - spring: - security: - oauth2: - resourceserver: - jwt: - audiences: - - "my-audience" ----- [[web.security.oauth2.authorization-server]] ==== Authorization Server