Description
http://datatracker.ietf.org/doc/html/draft-ietf-oauth-pop-architecture-08
http://tools.ietf.org/id/draft-ietf-oauth-pop-key-distribution-04.html
Expected Behavior
Proof of possession enables client authentication on requests to resource servers. The oauth2 authorization server signs a JWT-formatted access token which includes the public key of client. The resource server verifies the access token against the AS JWKS, and also verifies the access token (or some part of it) against the client's public key (contained in the cnf claim, or confirmation).
I'm not fully clear on how the client would pass the signature (or shared secret and hash in the case of symmetric), so would need to figure that out for an implementation. Does anyone know a standard for this?
With some boot or web integrations, this feature could be enabled easily by a spring security user with (some variation) of the following (reactive) code:
@EnableWebFluxSecurity
class {
@Bean
public SecurityWebFilterChain webFilterChain(ServerHttpSecurity http) {
http.oauth2ResourceServer().proofOfPossession();
}
}
Current Behavior
Would have to implement custom token validation or some such to make it work.
Context
Client to resource server authentication is becoming a best practice in the industry and would enhance spring security greatly.