Describe the bug
On the Spring Authorization Server side, the client is registered with the tls_client_auth authentication method.
The client and server are configured for mutual TLS, and during the TLS handshake the client presents only the leaf certificate, which is valid in a PKI-based setup.
NGINX terminates mTLS and forwards the request to Spring Authorization Server, passing along the client’s leaf certificate.
However, Spring Authorization Server returns “invalid client authentication method.”
According to RFC 8705, the tls_client_auth method does not require the client to send intermediate certificates in the SAS authentication.
To Reproduce
set up client and server with mtls, register client as tls_client_auth, and set up nginx to forward leaf cert to request header.
Expected behavior
How does SAS support client with tls_client_auth client authentication method with only provide leaf cert?
Sample
In this link, if client only provide leaf cert, it will setup client authentication method to self_signed_client_auth:
https://github.com/spring-projects/spring-security/blob/8c4c5fe91f92390e231117d0fc3b50df9848b972/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/X509ClientCertificateAuthenticationConverter.java#L75
but in the class X509ClientCertificateAuthenticationProvider.java, it will generate invalid client authentication method:
https://github.com/spring-projects/spring-security/blob/8c4c5fe91f92390e231117d0fc3b50df9848b972/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/X509ClientCertificateAuthenticationProvider.java#L102
Describe the bug
On the Spring Authorization Server side, the client is registered with the tls_client_auth authentication method.
The client and server are configured for mutual TLS, and during the TLS handshake the client presents only the leaf certificate, which is valid in a PKI-based setup.
NGINX terminates mTLS and forwards the request to Spring Authorization Server, passing along the client’s leaf certificate.
However, Spring Authorization Server returns “invalid client authentication method.”
According to RFC 8705, the tls_client_auth method does not require the client to send intermediate certificates in the SAS authentication.
To Reproduce
set up client and server with mtls, register client as tls_client_auth, and set up nginx to forward leaf cert to request header.
Expected behavior
How does SAS support client with tls_client_auth client authentication method with only provide leaf cert?
Sample
In this link, if client only provide leaf cert, it will setup client authentication method to self_signed_client_auth:
https://github.com/spring-projects/spring-security/blob/8c4c5fe91f92390e231117d0fc3b50df9848b972/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/X509ClientCertificateAuthenticationConverter.java#L75
but in the class X509ClientCertificateAuthenticationProvider.java, it will generate invalid client authentication method:
https://github.com/spring-projects/spring-security/blob/8c4c5fe91f92390e231117d0fc3b50df9848b972/oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/X509ClientCertificateAuthenticationProvider.java#L102