Intermittent Token validation failure in clustered environment

Question

We have a auth server built using spring-boot-starter-oauth2-authorization-serve and a resource server built using spring-boot-starter-oauth2-resource-server.

Using Spring Security 6.x.

Able to generate token from auth server and on submit of token in the resource server, able to validate the token against the auth server.

If we submit the jwt set uri in a browser we observe,

{ Kid: xyz.. RSA .. }

and on refresh of the uri, second kid info will be shown,

{ Kid: abc.. RSA .. }

In an clustered environment with multiple pods, few requests validation (1 in 30-50) are failing due to mismatch of kid. Kid comparison is done in the nimbus jwt dependency.

Tried to create a bean of JwtSource and set a constant kid value and now the kid matches since both kid values of the same jwk set uri are matching but few i.e. 1 in 30-40 are failing with signature mismatch. No signature is set in the code.

Anything is missing?

Should we create a JwkSource bean by having a jks file, read the public, private key by setting a constant kid?

In the nimbus jwt framework code we see when the kid mismatch is observed, code will read the next kid by calling the same jwk set uri, but intermittently the comparison is failing.

Is there something to replace nimbus jwt dependency and use any other dependency to avoid failure?

Answer 1

Following below solved the issue,

1. Created a jks file with public and private key.
2. Returned JwkSource by setting a common kid.

In clustered environment, on refresh of jwks uri returns the same value and the intermittent issue is no more observed.