Skip to content

Add support dpop customization #16940

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
franticticktick opened this issue Apr 15, 2025 · 7 comments · May be fixed by #17202
Open

Add support dpop customization #16940

franticticktick opened this issue Apr 15, 2025 · 7 comments · May be fixed by #17202
Assignees
@franticticktick
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
7.0.x

Comments

@franticticktick
Copy link
Contributor

Currently dpop can't be configured. OAuth2ResourceServerConfigurer has dPoPAuthenticationConfigurer and it is already initialized with DPoPAuthenticationConfigurer and in configure method it is always applied to http. It would be nice to separate dpop configuration instead of applying it by default.
For example:

		@Bean
		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
			// @formatter:off
			http
				.authorizeHttpRequests((authorize) ->
					authorize.anyRequest().authenticated()
				)
				.oauth2ResourceServer((oauth2ResourceServer) ->
					oauth2ResourceServer
						.jwt(Customizer.withDefaults())
						.dpop(Customizer.withDefaults())
				);
			// @formatter:on
			return http.build();
		}
@franticticktick franticticktick added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Apr 15, 2025
@jgrandja
Copy link
Contributor

@franticticktick Can you provide some specific use cases on what you need to customize for a DPoP flow?

@jgrandja jgrandja removed the status: waiting-for-triage An issue we've not yet triaged label Apr 15, 2025
@franticticktick
Copy link
Contributor Author

@jgrandja Firstly, it would be nice if dpop was optional, now it is always enabled. Secondly, the same Authorization header is specified everywhere, it is standard, but it can be different, which is a normal situation. That is, at least I want to be able to customize authenticationConverter and requestMatcher. In addition, I may need additional audit of successful authentication and I need a custom AuthenticationSuccessHandler.

@franticticktick
Copy link
Contributor Author

@jgrandja I can prepare a PR if this ticket is relevant.

@jgrandja jgrandja added this to the 7.0.x milestone Apr 15, 2025
@jgrandja jgrandja added the in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) label Apr 15, 2025
@jgrandja
Copy link
Contributor

Thank you @franticticktick. I've assigned it to you.

No rush as this is scheduled for 7.0.x.

@pheyken
Copy link

pheyken commented May 23, 2025

Hi @franticticktick & @jgrandja,

while trying out spring-boot 3.5.0 (which includes spring-security 6.5.0) we noticed that our setup does not work anymore due to the auto init of DPoP.

We are using the oauth 2.0 resource server with an OpaqueTokenIntrospector and not JWT, therefore we do not have spring-security-oauth2-jose as a dependency and the classes are not on the class path during runtime.

A ClassNotFoundException (org.springframework.security.oauth2.jwt.JwtException) is thrown during start-up while configuring DPoP.

In the end there are three possible solutions for us:

  • we just include spring-security-oauth2-jose as a dependency. however, this would be temporary mitigation
  • DPoP is only configured in case of JWT being enabled / spring-security-oauth2-jose on the class path
  • there is an option to disable DPoP

Due to the third option I figured this could be part of this issue and I opted to comment first instead of creating a separate issue.

Please let me know if you think this should be a separate issue, or if I can support in any way here.

@franticticktick
Copy link
Contributor Author

Hi @pheyken Indeed, such a problem exists. But it seems to me that this is a rather rare case. If you have a stable working solution, then it would be good if you wait until we finish working on this ticket. If this problem is still widespread, then we can consider the possibility of disabling dpop.

@jgrandja
Copy link
Contributor

@pheyken As you already noticed, DPoP is enabled by default and it does require the spring-security-oauth2-jose dependency. There is no way to disable DPoP so as a temporary workaround you need to include spring-security-oauth2-jose dependency. This ticket will address the 3rd option:

there is an option to disable DPoP

franticticktick added a commit to franticticktick/spring-security that referenced this issue Jun 3, 2025
@franticticktick
Add Support DPoP Customization
ac50da9 
Closes spring-projectsgh-16940

Signed-off-by: Max Batischev <[email protected]>
@franticticktick franticticktick linked a pull request Jun 3, 2025 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@franticticktick franticticktick

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
7.0.x
Development

Successfully merging a pull request may close this issue.

Add Support DPoP Customization franticticktick/spring-security
3 participants
@jgrandja @franticticktick @pheyken