OAuth2 Resource Server Auto-Configuration can only configure a single JWS algorithm #31230
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
|
It appears to be unhappy with my formatting. I'll uglify and push a follow-up commit here in a few minutes. |
|
It's all green now; I was able to appease checkstyle, but I couldn't figure out how to get the formatter to stop mangling my code so I had to disable it. |
|
Thanks for raising this, @rs017991. It's unfortunate that we missed this when the change was made in Spring Security 5.2. To consider making the proposed changes in 2.6.x or 2.7.x, we'd have to consider this to be a bug as we do not make enhancements in maintenance releases. It could be argued that it's a bug of omission. I'll label the issue for discussion at a team meeting so that we can consider our options. |
wilkinsona
added
the
for: team-meeting
bclozel
added
type: bug
|
We're going to look at adding a |
|
Thanks for the update @philwebb. I'll be afk for a few weeks, so feel free to rework my contribution as you see fit in my absence. |
wilkinsona
changed the title
|
Thanks for the pull request, @rs017991. Unfortunately, the approach that I think we need to take is sufficiently different to what's proposed here that I don't think it's worth building on top of these changes as we'd revert them almost entirely. Thanks anyway for bringing the problem to our attention. I've opened gh-31321 to track the problem. |
wilkinsona
added
status: superseded
Spring Security added support for specifying multiple JWS algorithms in spring-projects/spring-security#7162
However, since the auto-configuration was not updated, it was only possible to leverage that enhancement via a custom bean.
(a bit clunky and undesirable compared to setting it in yml)
This PR fills the gap by allowing the existing property to contain a comma-delimited list of algorithms.
(if only one algorithm is defined as before, then it will behave no differently)
I'd like to get this backported to
2.7as well as2.6if at all possible.Please let me know if/when you would like me to do this.