JWT decoding with Spring Security

Question

I have a problem with JWT decoding. I'm writing an integration for oauth2 authorization service. I send a request to get an authorized token and get a response like:

{
"access_token": "c76fb018-27c9-43f7-a751-62646eda7e1a-1",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "03e0be32-e72e-47ec-b740-a00b333a8ac4-1",
"id_token": "eyJhbGciOiJnb3N0MzQtMTAuMjAxMiJ9.eyJzdWIiOiIwZDYxNTI3NDRlNDhkMTU4Y2UwMWQ3ZDQwZTdjNzUwYmZhMTVmMWVhY2NkOTQ3YmYwYTU0NzRhNDkwMGMyZTdjIiwiaXNzIjoiaXNzLWRlZmF1bHQtdmFsdWUiLCJhdWQiOiIxMTQzIiwiZXhwIjoxNTE4NzAxMDcxLCJpYXQiOjE1MTg3MDA3NzEsImF1dGhfdGltZSI6MTUxODcwMDc1NiwiYWNyIjoibG9hLTMiLCJhbXIiOiJ7cHdkLCBtY2EsIG1mYSw
gb3RwLCBzbXN9IiwiYXpwIjoiMTE0MyIsIm5vbmNlIjoiN2JlNjZhYzktZDA3Yy00OTY3LWFkZWQtY2EyNzBhMjdlOWU4In0=.EdiC77+9bO+/vRzvv71677+977+977+9eAXvv73vv73vv71E77+977+977+977+9Re+/ve+/vTNbbdm0Bu+/vRY/eO+/vRvvv70q77+977+9LO+/vU4iZO+/vSNF0oFy77+977+977+9GQnvv73vv70v77+9QO+/vXk="
}

id_token - A Base64-encoded URL is a set of client attributes required to identify the user. The attributes are separated by "." characters, each must be decoded separately.

I don't know how to do it. I will be grateful for any help.

Application.yml

spring:
  security:
    oauth2:
      client:
        registration:
          sbb:
            client-id: *******
            client-secret: ******
            scope: openid
            client-authentication-method: post
            authorization-grant-type: authorization_code
            redirect-uri: '{baseUrl}/login/oauth2/code/{registrationId}'
        provider:
          sbb:
            authorization-uri: https://auth.site.com/ic/sso/api/v1/oauth/authorize
            token-uri: https://auth.site.com/ic/sso/api/v1/oauth/token
            user-info-uri: https://auth.site.com/ic/sso/api/v1/oauth/user-info
            user-name-attribute: sub

@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic().disable();
        http.cors().disable();
        http.csrf().disable();
        http
            .authorizeRequests().antMatchers("/login").permitAll().and()
            .authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .oauth2Login();
   }
}

When I start my app, I get an error: org.springframework.security.oauth2.core.OAuth2AuthenticationException: [missing_signature_verifier] Failed to find a Signature Verifier for Client Registration: 'sbb'. Check to ensure you have configured the JwkSet URI.

My provider does not provide a JwkSet URI.

Aleksandr Erokhin · Accepted Answer

Filip described the approach here. I just expanded it a bit.

  @Bean
  public JwtDecoderFactory jwtDecoderFactory() {

    final JwtDecoder decoder = new JwtDecoder() {

      @SneakyThrows
      @Override
      public Jwt decode(String token) throws JwtException {
        JWT jwt = JWTParser.parse(token);
        return createJwt(token, jwt);
      }

      private Jwt createJwt(String token, JWT parsedJwt) {
        try {
          Map headers = new LinkedHashMap<>(parsedJwt.getHeader().toJSONObject());
          Map claims = parsedJwt.getJWTClaimsSet().getClaims();
          return Jwt.withTokenValue(token)
              .headers(h -> h.putAll(headers))
              .claims(c -> c.putAll(claims))
              .build();
        } catch (Exception ex) {
          if (ex.getCause() instanceof ParseException) {
            throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, "Malformed payload"));
          } else {
            throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, ex.getMessage()), ex);
          }
        }
      }
    };
    return context -> decoder;
  }

JWT decoding with Spring Security

Answers (2)

Related Questions