Reputation: 3599
What's the replacement for jwt.key-uri in spring boot 2
We are using spring boot 1 oauth with following properties.
security.oauth2.resource.jwt.key-uri
Somehow it was missing from spring boot2, any replacement for that?
Upvotes: 2
Views: 5625
Answers (3)
Reputation: 140
I had the same issue, and after searching a lot of resources on internet I came to this solution:
There's a JwkTokenStore (which is different from a JwtTokenStore). This JwkTokenStore accepts a string in the constructor which points to a key-set-url.
So I ended up with this in my ResourceServer config:
@Value("${security.oauth2.resource.jwk.key-set-uri}")
private String keySetUri;
@Bean
public TokenStore tokenStore() {
JwkTokenStore jwkTokenStore = new JwkTokenStore(keySetUri, accessTokenConverter());
return jwkTokenStore;
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
return converter;
}
I'm using this with Azure AD/OpenIDConnect and for us it works fine.
Kind regards,
Danny
Upvotes: 3
Reputation: 12184
I asked the same question in the gitter chat.
Dave Syer said:
Those features were removed. They are migrating to Spring Security. But slowly. The plan is to have a shim jar that you can use in the transition period. but that's not done yet @rwinch said he was going to publish something after Spring One (i.e. next week earliest)
So there is no replacement yet. They removed some resource server Autoconfiguration from spring-boot. And they did not yet add it back to spring-security. But this will come soon.
So all you can do at the moment is to copy over the needed code from spring-boot 1.5.
EDIT
In the meantime there is a project that helps you to get the spring-security-oauth autoconfiguration in spring-boot 2 - see https://github.com/spring-projects/spring-security-oauth2-boot
See also the spring boot 1.5->2.0 migration guide - https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.0-Migration-Guide#oauth2
Upvotes: 4
Reputation: 1
I was dealing with the same thing when migrating from spring boot 1 to 2. For the moment, you can keep your oauth2 properties exactly the same. I just added a method using WebClient for retrieving the public key :
private String getPublicKeyValue(String uriKey) {
return Optional.of(WebClient.create(publicKeyUri))
.map(j -> j.get().retrieve().bodyToMono(JwtObject.class))
.map(Mono::block)
.map(JwtObject::getValue)
.orElseThrow(
() -> new RuntimeException("An error has occured while getting the public key from remote : " + publicKeyUri));
}
while publicKeyUri is :
@Value("${security.oauth2.resource.jwk.key-set-uri}")
private String publicKeyUri;
And use it like :
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setVerifierKey(getPublicKeyValue(publicKeyUri));
return converter;
}
You can also configure the public key value directly rather than the URI which is much more simpler.
Of course, this is just a temporary solution until spring boot 2 comes with the real feature.
Upvotes: 0
Related Questions
- Spring security JWT without OAuth
- Spring Security oAuth complains about missing JWT verifier key even though it's defined
- JwtAccessTokenConverterConfigurer alternate?
- Replacement for deprecated Spring Security JwtHelper
- Jwt in Springboot v2.4.5
- How fix unsecured jwt-set-uri in spring security oauth?
- Spring boot + Oauth2 + Jwt
- Simply authentication with JWT in Spring Boot
- Spring boot http security jwt key from file
- JWT with spring-boot and spring-security