Spring Security OAuth2 v5 : NoSuchBeanDefinitionException: 'org.springframework.security.oauth2.jwt.JwtDecoder'

Question

I have a SpringBoot application that I am trying to update from the older Spring Security OAuth 2.x library to the newer Spring Security 5.5.x. Initially my configuration class was using the @EnableResourceServer annotation, but this was replaced with the Spring Security oauth2ResourceServer DSL method, as per the migration guide.

I have added in a custom JWT authentication converter, but am now getting the following warning on startup:

09:30:51.591 [, , ] [main] WARN %->5level org.springframework.web.context.support.AnnotationConfigWebApplicationContext - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'springSecurityFilterChain' defined in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [javax.servlet.Filter]: Factory method 'springSecurityFilterChain' threw exception; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type 'org.springframework.security.oauth2.jwt.JwtDecoder' available

I can't see where this JwtDecoder is used in the filter chain yet, but it's stopping my application from starting up.

@Configuration
@Order(OAuthTokenApiSecurityConfig.ORDER)
public class OAuthTokenApiSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    public void configure(final HttpSecurity http) throws Exception { // NOPMD

        // @formatter:off
        http
            .requestMatcher(new OAuth2RequestMatcher())
            ...
            ...
            .oauth2ResourceServer()
            .jwt()
            .jwtAuthenticationConverter(customTokenAuthenticationConverter());
        // @formatter:on
    }

    @Bean
    public CustomTokenAuthenticationConverter customTokenAuthenticationConverter() {
        return new CustomTokenAuthenticationConverter();
    }

    @Bean
    public JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter() {
        return new JwtGrantedAuthoritiesConverter();
    }
}

dependecies {
    api("org.springframework.security:spring-security-oauth2-resource-server")
    api("org.springframework.security:spring-security-oauth2-core")
    api("org.springframework.security:spring-security-oauth2-jose")
    api("com.nimbusds:nimbus-jose-jwt")
}

springBootVersion=2.5.3
springSecurity=5.5.1

Is there some dependency that I am missing, or is there some config or something else?

Answer 1

The JwtDecoder is used within the Jwt Configuration to decode, and validate the incoming token against the public keys.

There's multiple ways of building the bean provided via some factory methods in the JwtDecoders class.

Specifically,

JwtDecoders.fromIssuerUri(...) and JwtDecoders.fromOidcIssuerUri(...) and I believe theres now a third method for pointing directly at a key.

The decoder it self can be explicitly set on the decoder method on the jwt configuration if you want/need to build one manually e.g. want to more add validations to the JwtDecoder.

If you read the javadoc of the OAuth2ResourceServerConfigurer there's also the option to set the Jwk Set URI via the jwkSetUri method which would also build a decoder.

The exact point the JwtDecoder is used is within the JwtAuthenticationProvider which will eventually be called from the BearerTokenAuthenticationFilter