Spring Security 6 does not invoke jwk-set-uri [Spring-boot-3] #12977
Labels
for: stackoverflow
A question that's better suited to stackoverflow.com
in: config
An issue in spring-security-config
Description
I recently migrated from Spring Boot Version 2.7.10 to 3.0.5.
The oauth2 resource server with minimalistic config which validated the token previously, failed. Upon debugging, I saw that with 2.7.10, the jwk-set-uri is invoked. However, with 3.0.5, the jwk-set-uri is never invoked and returns 401 with
"www-authenticate Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
Steps to reproduce the behavior:
Compare the behavior of oauth2 resource server with 2.7.10 vs 3.0.5
Expected behavior
jwk-set-uri provided should be invoked to fetch keys and algorithm to validate token.
Sample
I'll need to generate a sample if you really need.
But this is kind of a blocker and if you are already aware. Please help me with it.
Thanks :)
The text was updated successfully, but these errors were encountered: