Skip to content

Relax client_id validation in AtJwtBuilder#18890

Merged
jzheaux merged 2 commits intospring-projects:mainfrom
gbaso:gh-18381-client_id
Mar 20, 2026
Merged

Relax client_id validation in AtJwtBuilder#18890
jzheaux merged 2 commits intospring-projects:mainfrom
gbaso:gh-18381-client_id

Conversation

@gbaso
Copy link
Contributor

@gbaso gbaso commented Mar 13, 2026

AtJwtBuilder currently requires configuring a specific client_id value, and tokens that containing a different client_id are rejected. As discussed in #18381 (comment), this is a stronger requirement than that specified in RFC 9068, which only requires that a client_id claim is present.

In scenarios like the client_credentials grant type, multiple clients may obtain tokens from the same issuer and call the same resource server. In these cases, the resource server may not even know all possible client_id values in advance.

This change relaxes the default behavior of AtJwtBuilder so that it validates only the presence of the client_id claim. A specific value can still be required by calling AtJwtBuilder#clientId(...), just as before.

Relates to gh-18381

@gbaso
Relax client_id validation in AtJwtBuilder
c583f75 
RFC 9068 requires that access token JWTs include the `client_id`
claim, but it does not require resource servers to validate it against
a specific value.

Relates to spring-projectsgh-18381

Signed-off-by: Giacomo Baso <gbaso@users.noreply.github.com>
@gbaso gbaso mentioned this pull request Mar 13, 2026
Closed
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 13, 2026
@jzheaux jzheaux self-assigned this Mar 20, 2026
@jzheaux jzheaux added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 20, 2026
@jzheaux jzheaux added this to the 7.1.0-RC1 milestone Mar 20, 2026
@jzheaux
Polish Formatting
179d392 
Closes spring-projectsgh-18381

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
@jzheaux jzheaux enabled auto-merge (rebase) March 20, 2026 21:26
@jzheaux
Copy link
Contributor

jzheaux commented Mar 20, 2026

Thanks, @gbaso, for the quick turnaround! This will merge once the build completes.

@jzheaux jzheaux merged commit ea05089 into spring-projects:main Mar 20, 2026
7 checks passed
@gbaso gbaso deleted the gh-18381-client_id branch March 21, 2026 00:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jzheaux jzheaux

Labels

in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement

Projects

None yet

Milestone

7.1.0-RC1

Development

Successfully merging this pull request may close these issues.

3 participants

@gbaso @jzheaux @spring-projects-issues