Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Security 6 does not invoke jwk-set-uri [Spring-boot-3] #12977

Closed
isatishp opened this issue Apr 7, 2023 · 3 comments
Closed

Spring Security 6 does not invoke jwk-set-uri [Spring-boot-3] #12977

isatishp opened this issue Apr 7, 2023 · 3 comments
Assignees
@jzheaux
Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: config An issue in spring-security-config

Comments

@isatishp
Copy link

isatishp commented Apr 7, 2023

Description
I recently migrated from Spring Boot Version 2.7.10 to 3.0.5.
The oauth2 resource server with minimalistic config which validated the token previously, failed. Upon debugging, I saw that with 2.7.10, the jwk-set-uri is invoked. However, with 3.0.5, the jwk-set-uri is never invoked and returns 401 with
"www-authenticate Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

Steps to reproduce the behavior:
Compare the behavior of oauth2 resource server with 2.7.10 vs 3.0.5

Expected behavior
jwk-set-uri provided should be invoked to fetch keys and algorithm to validate token.

Sample
I'll need to generate a sample if you really need.

But this is kind of a blocker and if you are already aware. Please help me with it.

Thanks :)
@isatishp isatishp added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 7, 2023
@isatishp
Copy link
Author

isatishp commented Apr 7, 2023

https://github.com/isatishp/sample-security

Repository contains two branches for spring boot 2.7.10 and 3.0.5 respectively.

I have also provided a sample token which could be expired by the time you test it. You may get 401, but will you'll see that jwks endpoint is still invoked in spring boot 2.7.10 which is never invoked in case of spring boot 3

@jzheaux
Copy link
Contributor

jzheaux commented Apr 7, 2023

Sorry that you are having trouble with the upgrade, @isatishp, and thanks for reaching out for help.

I believe the Spring Boot property has changed from jws-algorithm to jws-algorithms. When I made this change, your sample worked correctly.

Note that the Boot guide references a tool they've provided to help with property migration. Your IDE can also be a support here (as it was for me in this case).

@jzheaux jzheaux closed this as completed Apr 7, 2023
@jzheaux jzheaux self-assigned this Apr 7, 2023
@jzheaux jzheaux added in: config An issue in spring-security-config for: stackoverflow A question that's better suited to stackoverflow.com and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 7, 2023
@isatishp
Copy link
Author

isatishp commented Apr 8, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
for: stackoverflow A question that's better suited to stackoverflow.com in: config An issue in spring-security-config
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jzheaux @isatishp