Skip to content

Commit 2e2554a

Browse files
jgrandjajgrandja
committed
Document OidcIdTokenDecoderFactory
Fixes gh-7399
1 parent 9b40ce6 commit 2e2554a

File tree

1 file changed

+31
-0
lines changed

1 file changed

+31
-0
lines changed

docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-login.adoc

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -957,3 +957,34 @@ public class OAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {
957957
}
958958
}
959959
----
960+
961+
962+
[[oauth2login-advanced-idtoken-verify]]
963+
==== ID Token Signature Verification
964+
965+
OpenID Connect 1.0 Authentication introduces the https://openid.net/specs/openid-connect-core-1_0.html#IDToken[ID Token], which is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when used by a Client.
966+
967+
The ID Token is represented as a https://tools.ietf.org/html/rfc7519[JSON Web Token] (JWT) and MUST be signed using https://tools.ietf.org/html/rfc7515[JSON Web Signature] (JWS).
968+
969+
The `OidcIdTokenDecoderFactory` provides a `JwtDecoder` used for `OidcIdToken` signature verification. The default algorithm is `RS256` but may be different when assigned during client registration.
970+
For these cases, a resolver may be configured to return the expected JWS algorithm assigned for a specific client.
971+
972+
The JWS algorithm resolver is a `Function` that accepts a `ClientRegistration` and returns the expected `JwsAlgorithm` for the client, eg. `SignatureAlgorithm.RS256` or `MacAlgorithm.HS256`
973+
974+
The following code shows how to configure the `OidcIdTokenDecoderFactory` `@Bean` to default to `MacAlgorithm.HS256` for all `ClientRegistration`:
975+
976+
[source,java]
977+
----
978+
@Bean
979+
public JwtDecoderFactory<ClientRegistration> idTokenDecoderFactory() {
980+
OidcIdTokenDecoderFactory idTokenDecoderFactory = new OidcIdTokenDecoderFactory();
981+
idTokenDecoderFactory.setJwsAlgorithmResolver(clientRegistration -> MacAlgorithm.HS256);
982+
return idTokenDecoderFactory;
983+
}
984+
----
985+
986+
[NOTE]
987+
For MAC based algorithms such as `HS256`, `HS384` or `HS512`, the `client-secret` corresponding to the `client-id` is used as the symmetric key for signature verification.
988+
989+
[TIP]
990+
If more than one `ClientRegistration` is configured for OpenID Connect 1.0 Authentication, the JWS algorithm resolver may evaluate the provided `ClientRegistration` to determine which algorithm to return.

0 commit comments

Comments
 (0)