Currently dpop can't be configured. OAuth2ResourceServerConfigurer has dPoPAuthenticationConfigurer and it is already initialized with DPoPAuthenticationConfigurer and in configure method it is always applied to http. It would be nice to separate dpop configuration instead of applying it by default.
For example:
@Bean
SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.authorizeHttpRequests((authorize) ->
authorize.anyRequest().authenticated()
)
.oauth2ResourceServer((oauth2ResourceServer) ->
oauth2ResourceServer
.jwt(Customizer.withDefaults())
.dpop(Customizer.withDefaults())
);
// @formatter:on
return http.build();
}
Comment From: jgrandja
@franticticktick Can you provide some specific use cases on what you need to customize for a DPoP flow?
Comment From: franticticktick
@jgrandja Firstly, it would be nice if dpop was optional, now it is always enabled. Secondly, the same Authorization header is specified everywhere, it is standard, but it can be different, which is a normal situation. That is, at least I want to be able to customize authenticationConverter and requestMatcher. In addition, I may need additional audit of successful authentication and I need a custom AuthenticationSuccessHandler.
Comment From: franticticktick
@jgrandja I can prepare a PR if this ticket is relevant.
Comment From: jgrandja
Thank you @franticticktick. I've assigned it to you.
No rush as this is scheduled for 7.0.x.
Comment From: pheyken
Hi @franticticktick & @jgrandja,
while trying out spring-boot 3.5.0 (which includes spring-security 6.5.0) we noticed that our setup does not work anymore due to the auto init of DPoP.
We are using the oauth 2.0 resource server with an OpaqueTokenIntrospector and not JWT, therefore we do not have spring-security-oauth2-jose as a dependency and the classes are not on the class path during runtime.
A ClassNotFoundException (org.springframework.security.oauth2.jwt.JwtException) is thrown during start-up while configuring DPoP.
In the end there are three possible solutions for us:
- we just include spring-security-oauth2-jose as a dependency. however, this would be temporary mitigation
- DPoP is only configured in case of JWT being enabled / spring-security-oauth2-jose on the class path
- there is an option to disable DPoP
Due to the third option I figured this could be part of this issue and I opted to comment first instead of creating a separate issue.
Please let me know if you think this should be a separate issue, or if I can support in any way here.
Comment From: franticticktick
Hi @pheyken Indeed, such a problem exists. But it seems to me that this is a rather rare case. If you have a stable working solution, then it would be good if you wait until we finish working on this ticket. If this problem is still widespread, then we can consider the possibility of disabling dpop.
Comment From: jgrandja
@pheyken As you already noticed, DPoP is enabled by default and it does require the spring-security-oauth2-jose dependency. There is no way to disable DPoP so as a temporary workaround you need to include spring-security-oauth2-jose dependency. This ticket will address the 3rd option:
there is an option to disable DPoP
Comment From: jgrandja
@pheyken Please see comment