Description
Current Behavior
When a try to configure two JWKs entries with different kids and different private/public key the Spring Oauth2 Authorization server works okay and returns then in the http://[]/oauth2/token endpoint.
When I try to do a client credentials (POST http://[]/oauth2/token I got the error below. This error seems to be right, since the authorization server does not know which kid should use for the client is requesting the token.
org.springframework.security.oauth2.jwt.JwtEncodingException: An error occurred while attempting to encode the Jwt: Found multiple JWK signing keys for algorithm 'RS256'
at org.springframework.security.oauth2.jwt.NimbusJwtEncoder.selectJwk(NimbusJwtEncoder.java:128) ~[spring-security-oauth2-jose-6.0.0.jar:6.0.0]
at org.springframework.security.oauth2.jwt.NimbusJwtEncoder.encode(NimbusJwtEncoder.java:108) ~[spring-security-oauth2-jose-6.0.0.jar:6.0.0]
at org.springframework.security.oauth2.server.authorization.token.JwtGenerator.generate(JwtGenerator.java:159) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
at org.springframework.security.oauth2.server.authorization.token.JwtGenerator.generate(JwtGenerator.java:58) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
at org.springframework.security.oauth2.server.authorization.token.DelegatingOAuth2TokenGenerator.generate(DelegatingOAuth2TokenGenerator.java:59) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
at org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientCredentialsAuthenticationProvider.authenticate(OAuth2ClientCredentialsAuthenticationProvider.java:125) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-6.0.0.jar:6.0.0]
at org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter.doFilterInternal(OAuth2TokenEndpointFilter.java:167) ~[spring-security-oauth2-authorization-server-1.0.0.jar:1.0.0]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.2.jar:6.0.2]
My Code:
@Bean
public JWKSet jwkSet(AuthProperties authProperties) throws Exception {
List<JWK> keys = new ArrayList<>();
for (JksProperties jwk : authProperties.getJksList()) {
keys.add(loadRsa(jwk));
break;
}
return new JWKSet(keys);
}
@Bean
public JWKSource<SecurityContext> jwkSource(JWKSet jwkSet) {
return ((jwkSelector, securityContext) -> jwkSelector.select(jwkSet));
}
@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}Expected Behavior
The solution I found was to create to instance of the authorization server, so each of the instances can have its own kid and public and private key.
It would be nice (maybe it exists and I don't know) to have a way to configure the same authorization server have multiple JWKs to be used for different clients.
Context
I have a requirement to sign two different JWK token, for each one I should use a different kid/public/private keys. This kids also should be returned in the same JWKS endpoint.
The workaround/alternative I'm thinking is to run two different instances of the authorization server.