TechQA.

Spring Boot 2.3.4: Bug with JwtValidators.createDefaultWithIssuer(String)?

475 views Asked by At

I found an odd behavior with JWT parsing and JwtValidators.

Scenario:

  • Spring Boot OIDC client (for now a tiny web app, only displaying logged in user and some OIDC objects provided by Spring)
  • Custom JwtDecoderFacotry<ClientRegistration> for ID-Token validation
  • JwtValidatorFactory based on JwtValidators.createDefaultWithIssuer(String)

This worked well with Spring Boot version <= 2.2.10.

Debugging:

  • NimbusJwtDecoder (JAR spring-security-oauth2-jose) uses claim set converters. The 'iss' (issuer) claim is handled as URL.
  • JwtIssuerValidator (internally created by JwtValidators.createDefaultWithIssuer(String)) wraps a JwtClaimValidator<String>.
  • this one finally calls equals() that is always false - it compares String with URL.

My current workaround is not calling JwtValidators.createDefaultWithIssuer() but just using the validators new JwtTimestampValidator() and an own implementation of OAuth2TokenValidator<Jwt> (with wrapping JwtClaimValidator<URL>).

Anyone else having trouble with this?

--Christian

spring-boot spring-security-oauth2 nimbus-jose-jwt spring-boot-starter-oauth2-client
Original Q&A
1

There are 1 answers

0
cmouttet On BEST ANSWER

It's a bug. Pull Request is created.

Related Questions in SPRING-BOOT

Related Questions in SPRING-SECURITY-OAUTH2

Related Questions in NIMBUS-JOSE-JWT

Related Questions in SPRING-BOOT-STARTER-OAUTH2-CLIENT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions