Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth2 Resource Server Auto-Configuration can only configure a single JWS algorithm #31321

Closed
wilkinsona opened this issue Jun 9, 2022 · 2 comments
Assignees
Labels
type: bug A general bug
Milestone

Comments

@wilkinsona
Copy link
Member

See PR #31230 for background.

@wilkinsona
Copy link
Member Author

wilkinsona commented Jun 9, 2022

The differences between using a JWK Set URI and a public key location present an interesting problem. We configure both using the same jws-algorithm property but only the former can potentially support multiple values when creating the JWT decoder.

Use of a JWS Set URI or a public key location is mutually exclusive and we'll only ever auto-configure one decoder. This means that we could change both to use the new jws-algorithms property. We'd then have to handle the case where multiple algorithms and a public key location have been configured. I've implemented a proposal for this in this branch. Flagging for team attention as I'd like to see if we're in agreement on this being a good idea…

@wilkinsona wilkinsona added the for: team-attention An issue we'd like other members of the team to review label Jun 9, 2022
@mhalbritter
Copy link
Contributor

Your changes look good to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: bug A general bug
Projects
None yet
Development

No branches or pull requests

2 participants