Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Implementation of OAuth2GrantType for authorization grant based on RFC 7523 #43444

New issue
New issue
Closed
task
#43624
Closed
Implementation of OAuth2GrantType for authorization grant based on RFC 7523#43444
task
#43624
Assignees
graziang
Labels
area/token-exchange/federatedIssues related to federated token exchange (external-internal or internal-external)kind/taskrelease/26.5.0team/core-clients
@mposolda

Description

@mposolda
mposolda
opened on Oct 14, 2025

Description

Implementation of the OAuth2GrantType to implement RFC 7523 jwt-bearer grant. This implementation can perhaps do some very basic checks, but most of the work might be done by identity provider (and eventually client policies).

Grant can lookup identity-provider based on the iss claim (Required per RFC 7523).

Identity provider will need to implement some dedicated interface, which might be also introduced as part of this issue (EG. AuthorizationGrantProvider) to signal that particular identity provider is capable of acting as "trust relationship" provider for verifying RFC-7523 based assertions . Initially maybe OIDCIdentityProvider can implement this interface and provide very basic validations of claims based on RFC-7523 (aud) and verify the signature based on his keys (obtained from keys configured for identity provider with JWKS_URL or JWKS or something similar).

The implementation of verifications can be done maybe on AbstractOAuth2IdentityProvider, which is superclass of OIDCIdentityProvider as well as OAuth2IdentityProvider .

Verification of claims like exp, iat , nbf can be probably done in a similar way like done for JWT client authentication (including support for "clock skew" etc). It will be good to doublecheck the existing building blocks used for JWT client authentication as well as SPIFFE implementation and make sure that checks and building blocks can be re-used instead of copy/pasting the code and implementing same checks again, but in different means (which can be also bad for consistency etc).

As part of this issue, we can introduce new feature, which would be initially Experimental .

Tests

The initial automated tests might be added as well. Likely to the new testsuite where SPIFFE is already tested.

Non-goals

The configuration will not be introduced as part of this issue to client or identity provider. There will be follow-up issues for the configuration. There would be also client policies as a follow-up for fine-grained checks.

The documentation is also out of scope of this issue.

Metadata

Metadata

Assignees

Labels

area/token-exchange/federatedIssues related to federated token exchange (external-internal or internal-external)kind/taskrelease/26.5.0team/core-clients

Type

task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions