OAuth2 clients can be classified into Confidential and Public according to their ability to securely authenticate with the authorization server .
The secret type itself will have a password credential, such as the web server backend program; while the public type has no password credential, pure browser front-end applications or mobile client applications mostly belong to this type. Either way, they all have a client ID ( client_id ).
OAuth2 Client Authentication
The client must use the authorization server for client authentication in the sensitive process of performing OAuth2 authorization ( the related processes include token request, token introspection request, and token revocation request ) to ensure that the client will not be transferred in the middle.
Client authentication method
The current client authentication methods are as follows:
The previous demo of Gitee uses the outdated POST method; the WeChat DEMO uses the non- OAuth2 standard method; the current related DEMO of Spring Authorization Server uses the client_secret_basic method. Among the remaining methods, client_secret_jwt and private_key_jwt are used more frequently. These two methods can well protect the authentication information of the client and have higher security. Both methods are currently supported by Spring Security and Spring Authorization Server .
client_secret_jwt
client_secret_jwtThe way is that the OAuth2 client generates its own key as the keyHmacSHA256 of the algorithm :SecretKey
byte[] pin = clientSecret.getBytes(StandardCharsets.UTF_8);
SecretKeySpec secretKey = new SecretKeySpec(pin,"HmacSHA256");
复制代码Then, by SecretKeygenerating a JWT carrying the OAuth2 client information, the JWT is carried in the authorization code request Token link so that the authorization server can perform client authentication. The requested message is:
POST /oauth2/token HTTP/1.1
Host: oauth2_client.felord.cn
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&
code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
client_assertion=你的JWT
复制代码授权服务器收到请求后通过OAuth2客户端的client_secret对JWT进行解码校验以认证客户端。这种方式能很好的保护client_secret在非HTTPS环境下的传输。
这里OAuth2客户端的密钥(client_secret)比特长度必须大于等于256。
private_key_jwt
private_key_jwt和client_secret_jwt唯一的区别就是生成JWT的方式不同。通过这种方式,OAuth2客户端已经不需要client_secret,只需要配置一对RSA或者EC密钥,通过密钥来生成JWT,另外还需要向授权服务器提供公钥,通常是一个jwkSetUrl。该方式的细节已经在我JOSE规范相关的文章中进行过详细说明,这里不再赘述。这种方式让客户端的认证信息更加安全的传输,是我个人比较喜欢的方式。
tls_client_auth
这个比较高级,嵌入了TLS安全层,在HTTP协议级别来认证OAuth2客户端,它涉及的证书来自可信任的CA。这种方式基本脱离了应用层,是一种无侵入的方式。
self_signed_tls_client_auth
这个同样也是在TLS安全层,不过它使用了自签名的X.509证书。
总结
Most of the tutorials on the market only mention outdated onesPOSTThe method and client_secret_basic and client_secret_post methods are rarely involved in the latter five. Brother Fat has implemented private_key_jwt and client_secret_jwt . For details, please subscribe to my Spring Security OAuth2 column. These OAuth2 client authentication methods have different advantages in different scenarios. You can choose different OAuth2 client authentication methods according to different security levels.
关注公众号:Felordcn获取更多资讯