将spring-security-oauth2授权服务器与kid和JWKS一起使用? [英] Using spring-security-oauth2 Authorization Server with kid and JWKS?

问题描述

按照文档此处和有，我设法设置一个授权服务器，该服务器给出用非对称密钥签名的JWT访问令牌，这些令牌由资源服务器使用公共密钥的本地副本在本地进行验证.到目前为止一切顺利.

Following the documentation here and there, I managed to setup an Authorization Server that gives out JWT access tokens signed with asymmetric key, which are verified locally by a Resource Server using a local copy of the public key. So far so good.

我的最终目标是让资源服务器使用授权服务器上的JWKS端点，并使用JWT中的"kid"标头在JWKS中查找正确的密钥并在本地进行验证，以支持密钥旋转. 我发现

My final goal is for Resource Servers to use the JWKS endpoint on the Authorization Server, and use the 'kid' header in the JWT to lookup the right key in the JWKS and verify locally, supporting key rotation. I've found how to make the Authorization Server expose a JWKS endpoint, and also how to specify the key-set-uri for the resource server.

但是，似乎没有办法

• 在JWKS中发布孩子(密钥ID)值
• 在JWT中包含kid标头

有没有办法做到这一点?

Is there a way to do this?

推荐答案

我找到了一种在jwks端点中设置孩子的方法:

I found a way to set the kid in jwks endpoint:

@FrameworkEndpoint
public class JwkSetEndpoint {
    private final KeyPair keyPair;

    public JwkSetEndpoint(KeyPair keyPair) {
        this.keyPair = keyPair;
    }

    @GetMapping("/.well-known/jwks.json")
    @ResponseBody
    public Map<String, Object> getKey() {
        RSAPublicKey publicKey = (RSAPublicKey) this.keyPair.getPublic();
        RSAKey key = new RSAKey.Builder(publicKey)
                .keyID("YOUR_KID_HERE")
                .keyUse(KeyUse.SIGNATURE).build();
        return new JWKSet(key).toJSONObject();
    }
}

我没有找到一种在JWT标头中进行设置的方法.

What I did not find was a way to set it in the header of JWT.

这篇关于将spring-security-oauth2授权服务器与kid和JWKS一起使用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！