Fix DPoP jkt claim to be JWK SHA-256 thumbprint

jgrandja · jgrandja · commit 07f9621b02da · 2025-05-13T16:37:17.000-04:00
Closes gh-2007
diff --git a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/DefaultOAuth2TokenCustomizers.java b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/DefaultOAuth2TokenCustomizers.java
@@ -16,15 +16,13 @@
 package org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers;
 
 import java.security.MessageDigest;
-import java.security.PublicKey;
 import java.security.cert.X509Certificate;
 import java.util.Base64;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.LinkedHashMap;
 import java.util.Map;
 
-import com.nimbusds.jose.jwk.AsymmetricJWK;
 import com.nimbusds.jose.jwk.JWK;
 
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
@@ -91,25 +89,22 @@ private static void customize(OAuth2TokenContext tokenContext, Map<String, Objec
 		// Add 'cnf' claim for OAuth 2.0 Demonstrating Proof of Possession (DPoP)
 		Jwt dPoPProofJwt = tokenContext.get(OAuth2TokenContext.DPOP_PROOF_KEY);
 		if (OAuth2TokenType.ACCESS_TOKEN.equals(tokenContext.getTokenType()) && dPoPProofJwt != null) {
-			PublicKey publicKey = null;
+			JWK jwk = null;
 			@SuppressWarnings("unchecked")
 			Map<String, Object> jwkJson = (Map<String, Object>) dPoPProofJwt.getHeaders().get("jwk");
 			try {
-				JWK jwk = JWK.parse(jwkJson);
-				if (jwk instanceof AsymmetricJWK asymmetricJWK) {
-					publicKey = asymmetricJWK.toPublicKey();
-				}
+				jwk = JWK.parse(jwkJson);
 			}
 			catch (Exception ignored) {
 			}
-			if (publicKey == null) {
+			if (jwk == null) {
 				OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_DPOP_PROOF,
 						"jwk header is missing or invalid.", null);
 				throw new OAuth2AuthenticationException(error);
 			}
 
 			try {
-				String sha256Thumbprint = computeSHA256Thumbprint(publicKey);
+				String sha256Thumbprint = jwk.computeThumbprint().toString();
 				if (cnfClaims == null) {
 					cnfClaims = new HashMap<>();
 				}
@@ -149,10 +144,4 @@ private static String computeSHA256Thumbprint(X509Certificate x509Certificate) t
 		return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
 	}
 
-	private static String computeSHA256Thumbprint(PublicKey publicKey) throws Exception {
-		MessageDigest md = MessageDigest.getInstance("SHA-256");
-		byte[] digest = md.digest(publicKey.getEncoded());
-		return Base64.getUrlEncoder().withoutPadding().encodeToString(digest);
-	}
-
 }
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationCodeGrantTests.java
@@ -1011,6 +1011,8 @@ public void requestWhenTokenRequestWithDPoPProofThenReturnDPoPBoundAccessToken()
 		@SuppressWarnings("unchecked")
 		Map<String, Object> cnfClaims = (Map<String, Object>) authorization.getAccessToken().getClaims().get("cnf");
 		assertThat(cnfClaims).containsKey("jkt");
+		String jwkThumbprintClaim = (String) cnfClaims.get("jkt");
+		assertThat(jwkThumbprintClaim).isEqualTo(TestJwks.DEFAULT_EC_JWK.toPublicJWK().computeThumbprint().toString());
 	}
 
 	@Test
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceCodeGrantTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2DeviceCodeGrantTests.java
@@ -605,6 +605,8 @@ public void requestWhenAccessTokenRequestWithDPoPProofThenReturnDPoPBoundAccessT
 		@SuppressWarnings("unchecked")
 		Map<String, Object> cnfClaims = (Map<String, Object>) authorization.getAccessToken().getClaims().get("cnf");
 		assertThat(cnfClaims).containsKey("jkt");
+		String jwkThumbprintClaim = (String) cnfClaims.get("jkt");
+		assertThat(jwkThumbprintClaim).isEqualTo(TestJwks.DEFAULT_EC_JWK.toPublicJWK().computeThumbprint().toString());
 	}
 
 	private static String generateDPoPProof(String tokenEndpointUri) {
diff --git a/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2RefreshTokenGrantTests.java b/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2RefreshTokenGrantTests.java
@@ -319,6 +319,8 @@ public void requestWhenRefreshTokenRequestWithPublicClientAndDPoPProofThenReturn
 		@SuppressWarnings("unchecked")
 		Map<String, Object> cnfClaims = (Map<String, Object>) authorization.getAccessToken().getClaims().get("cnf");
 		assertThat(cnfClaims).containsKey("jkt");
+		String jwkThumbprintClaim = (String) cnfClaims.get("jkt");
+		assertThat(jwkThumbprintClaim).isEqualTo(TestJwks.DEFAULT_EC_JWK.toPublicJWK().computeThumbprint().toString());
 	}
 
 	@Test

Original file line number	Diff line number	Diff line change
`@@ -1011,6 +1011,8 @@ public void requestWhenTokenRequestWithDPoPProofThenReturnDPoPBoundAccessToken()`
`1011`	`1011`	`@SuppressWarnings("unchecked")`
`1012`	`1012`	`Map<String, Object> cnfClaims = (Map<String, Object>) authorization.getAccessToken().getClaims().get("cnf");`
`1013`	`1013`	`assertThat(cnfClaims).containsKey("jkt");`
	`1014`	`+ String jwkThumbprintClaim = (String) cnfClaims.get("jkt");`
	`1015`	`+ assertThat(jwkThumbprintClaim).isEqualTo(TestJwks.DEFAULT_EC_JWK.toPublicJWK().computeThumbprint().toString());`
`1014`	`1016`	`}`
`1015`	`1017`
`1016`	`1018`	`@Test`
Original file line number	Diff line number	Diff line change
`@@ -605,6 +605,8 @@ public void requestWhenAccessTokenRequestWithDPoPProofThenReturnDPoPBoundAccessT`
`605`	`605`	`@SuppressWarnings("unchecked")`
`606`	`606`	`Map<String, Object> cnfClaims = (Map<String, Object>) authorization.getAccessToken().getClaims().get("cnf");`
`607`	`607`	`assertThat(cnfClaims).containsKey("jkt");`
	`608`	`+ String jwkThumbprintClaim = (String) cnfClaims.get("jkt");`
	`609`	`+ assertThat(jwkThumbprintClaim).isEqualTo(TestJwks.DEFAULT_EC_JWK.toPublicJWK().computeThumbprint().toString());`
`608`	`610`	`}`
`609`	`611`
`610`	`612`	`private static String generateDPoPProof(String tokenEndpointUri) {`
Original file line number	Diff line number	Diff line change
`@@ -319,6 +319,8 @@ public void requestWhenRefreshTokenRequestWithPublicClientAndDPoPProofThenReturn`
`319`	`319`	`@SuppressWarnings("unchecked")`
`320`	`320`	`Map<String, Object> cnfClaims = (Map<String, Object>) authorization.getAccessToken().getClaims().get("cnf");`
`321`	`321`	`assertThat(cnfClaims).containsKey("jkt");`
	`322`	`+ String jwkThumbprintClaim = (String) cnfClaims.get("jkt");`
	`323`	`+ assertThat(jwkThumbprintClaim).isEqualTo(TestJwks.DEFAULT_EC_JWK.toPublicJWK().computeThumbprint().toString());`
`322`	`324`	`}`
`323`	`325`
`324`	`326`	`@Test`