OAuth2 clients can be classified into Confidential and Public according to their ability to securely authenticate with the authorization server.
The secret type itself will have a password credential, such as a web server backend program; while the public type does not have a password credential, pure browser front-end applications or mobile client applications mostly belong to this type. Either way, they all have a client ID ( client_id ).
OAuth2 Client Authentication
The client must use the authorization server for client authentication in the sensitive process of executing OAuth2 authorization ( the related processes include token request, token introspection request, and token revocation request ) to ensure that the client will not be transferred in the middle.
Client authentication method
The current client authentication methods are as follows:
The previous demo of Gitee uses the outdated POST method; the WeChat DEMO uses the non- OAuth2 standard method; the current related DEMO of Spring Authorization Server uses the client_secret_basic method. Among the remaining methods, client_secret_jwt and private_key_jwt are used more frequently. These two methods can well protect the authentication information of the client and have higher security. Both methods are currently supported by Spring Security and Spring Authorization Server .
client_secret_jwt
client_secret_jwt The way is that the OAuth2 client uses its own key as the key of the HmacSHA256 algorithm to generate SecretKey :
byte[] pin = clientSecret.getBytes(StandardCharsets.UTF_8);
SecretKeySpec secretKey = new SecretKeySpec(pin,"HmacSHA256"); Then generate a JWT carrying the OAuth2 client information through SecretKey , and carry the JWT in the authorization code request Token link to authorize the server for client authentication. The requested message is:
POST /oauth2/token HTTP/1.1
Host: oauth2_client.felord.cn
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
client_assertion=你的JWT After receiving the request, the authorization server will decode and verify the JWT through the OAuth2 client's client_secret to authenticate the client. This method can protect the transmission of client_secret in a non- HTTPS environment.
The OAuth2 client's secret ( client_secret ) must be greater than or equal to 256 bits in length.
private_key_jwt
private_key_jwt and client_secret_jwt the only difference is the way the JWT is generated. In this way, the OAuth2 client does not need client_secret , and only needs to configure a pair of RSA or EC key, and generate JWT through the key. The public key also needs to be provided to the authorization server, usually a jwkSetUrl . The details of this method have been explained in detail in the article JOSE specification in the OAuth2 column , and will not be repeated here. This method allows the client's authentication information to be transmitted more securely, which is my personal favorite method.
tls_client_auth
This is more advanced and embeds a TLS security layer to authenticate OAuth2 clients at the HTTP protocol level, involving certificates from trusted CAs . This method is basically separated from the application layer and is a non-invasive method.
self_signed_tls_client_auth
This is also on the TLS security layer, but it uses a self-signed X.509 certificate.
Summarize
Most of the tutorials on the market only mention outdated ones POST The method and client_secret_basic and client_secret_post methods are rarely involved in the latter five. Brother Fat has implemented private_key_jwt and client_secret_jwt . For details, please subscribe to my Spring Security OAuth2 column. These OAuth2 client authentication methods have different advantages in different scenarios. You can choose different OAuth2 client authentication methods according to different security levels.
关注公众号:Felordcn 获取更多资讯
java
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。