Spring-security: Support JWT as an Authorization Grant for client

Would be great have this feature targeting next milestone.

@gandrade We've been working hard on the upcoming 5.2.0 release (scheduled Sep 19), and it's looking like I won't be able to get to this feature in time. There have been quite a few other priority items that I've been working on.

It would likely be faster if someone from the community can provide a PR for this feature. Although this is not a trivial feature to implement, it would have a very similar implementation as #7013.

Would you be interested in submitting a PR for this feature? If not, I'll leave this up for someone in the community to pick up.

Hi @jgrandja, if someone was available to support me in clarifying and reviewing the technical design for this feature, then I would like to work on it. I am already familiar with the OAuth 2.0 specs and work daily on security features for enterprise applications. But since it would be my first feature-size task on this project, I could use some guidance.

@ThomasVitale Thanks for the offer! I actually have a POC in this sample.

However, I think it would still be valuable to review the spec and the POC code to determine if there is any other work left to do. I believe it's pretty close to being done but there may be other work that needs to be completed.

Let me know what you think?

FYI, the OpenID Foundation Fast Federation Working Group is defining a standard that will require RFC 7523 support. Lack of this in Spring will slow development and adoption of this emerging standard.
https://bitbucket.org/openid/fastfed/src/master/text_spec/FastFed-1.0-Draft-01.txt

Thanks for the info @matt-domsch-sp. Would you happen to know which providers currently support RFC 7523?

I'm aware of these uses in the wild:

• Ping Federate: https://www.pingidentity.com/en/company/blog/posts/2017/the-latest-pingfederate-release-open-banking-and-much-more.html
• Okta: https://developer.okta.com/docs/guides/build-self-signed-jwt/java/overview/
• Apigee: https://community.apigee.com/articles/35738/rfc7523-in-apigee-edge-exchanging-jwt-for-opaque-o.html
• Atlassian: https://community.developer.atlassian.com/t/jira-authentication-query/20808
• Salesforce: https://help.salesforce.com/articleView?id=remoteaccess_asset_token_using_validating.htm&type=5

Other participants in the FastFed WG include SailPoint, Microsoft, Google, AWS, Yahoo, ADP, Ping, Okta, so I would expect broader adoption through 2020 and 2021.

I actually have a POC in this sample.

However, I think it would still be valuable to review the spec and the POC code to determine if there is any other work left to do. I believe it's pretty close to being done but there may be other work that needs to be completed.

@jgrandja Is my interpretation correct that this POC code only applies to the client side and there isn't any work on the authorization server token endpoint side? Is this ticket meant only for client support?

TIA!

@jason-leagueapps Yes, you are correct. This ticket addresses the client support only. I've updated the subject of this ticket to be more clear.

Keycloak also supports this with either a fixed certificate or a JWK callback.
https://github.com/keycloak/keycloak/pull/4835
Keycloak and in particular the author of this PR have been doing a lot of work to support FAPI standards (needed by a lot of fintechs)