OAuth2 clients can be classified as Confidential and Public based on their ability to authenticate securely with the authorization server.

The secret type has a password credential of its own, such as a Web server backend; The common type has no password credentials, and pure browser front-end applications or mobile client applications tend to fall into this category. Either way, they all have a client ID (client_id).

OAuth2 Client authentication

Clients performing OAuth2 authorization in sensitive processes (such as token requests, token introspection requests, token revocation requests) must use the authorization server for client authentication to ensure that the client is not switched midway.

Client authentication mode

The client authentication modes are as follows:

In front of theGiteetheDEMOIt’s out of datePOSTWay; The right and wrong of wechat DEMOOAuth2A standard way;Spring Authorization ServerCurrent relevantDEMOUsing theclient_secret_basicWay. The rest of the wayclient_secret_jwtandprivate_key_jwtThese two methods can protect the authentication information of the client and have higher security.Spring SecurityandSpring Authorization ServerCurrently, both methods are supported.

client_secret_jwt

Client_secret_jwt mode OAuth2 client uses its own SecretKey as HmacSHA256 algorithm key to generate SecretKey:

byte[] pin = clientSecret.getBytes(StandardCharsets.UTF_8);
SecretKeySpec  secretKey = new SecretKeySpec(pin,"HmacSHA256");
Copy the code

Then SecretKey is used to generate a JWT with OAuth2 client information. The JWT is carried in the authentication code request Token link for client authentication by the authorization server. The requested message is:

POST /oauth2/token HTTP/1.1 Host: oauth2_client.felord.cn Content-type: application/x-www-form-urlencoded grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& Client_assertion_type = urn: ietf: params: request: client - an assertion - type: JWT - bearer & client_assertion = you JWTCopy the code

After receiving the request, the authorization server decodes the JWT through client_secret of the OAuth2 client to authenticate the client. This protects client_secret from transfer in non-HTTPS environments.

Here the OAuth2 client key (client_secret) bit length must be greater than or equal to 256 bits.

private_key_jwt

The only difference between private_KEY_jwt and client_secret_jwt is how the JWT is generated. In this way, the OAuth2 client does not need client_secret anymore. It just needs to configure a pair of RSA or EC keys to generate the JWT from the key, and provide the public key, usually a jwkSetUrl, to the authorization server. The details of this approach have been explained in my JOSE specification related article and will not be repeated here. In this way, the authentication information on the client can be transmitted more securely. I personally prefer this method.

tls_client_auth

This is more advanced, embedding TLS security layers to authenticate OAuth2 clients at the HTTP protocol level. It involves certificates from trusted CAS. This approach is basically out of the application layer, is a non-invasive way.

self_signed_tls_client_auth

This is also in the TLS security layer, but it uses self-signed X.509 certificates.

conclusion

Most tutorials on the market only mention the outdated POST mode and client_secret_BASIC and client_secret_POST mode, with little mention of the latter five, I’ve already implemented private_KEY_jwt and client_secret_jwt. Please subscribe to my Spring Security OAuth2 column for more details. These OAuth2 client authentication methods have different advantages in different scenarios. You can choose different OAuth2 client authentication methods according to different security levels.

Follow our public id: Felordcn for more information

Personal blog: https://felord.cn