Skip to content

Nimbus Jwt Decoder Configurability #5648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jzheaux opened this issue Aug 7, 2018 · 1 comment · Fixed by #5936
Closed

Nimbus Jwt Decoder Configurability #5648

jzheaux opened this issue Aug 7, 2018 · 1 comment · Fixed by #5936
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Milestone
5.2.0.M1

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Aug 7, 2018

It would be nice if NimbusJwtDecoderJwkSupport were a bit easier to test. Also, NimbusJwtDecoderJwkSupport is very opinionated in the way that Nimbus gets configured.

We could alleviate both of these by introducing a constructor or separate JwtDecoder implementation entirely that takes a Nimbus JwtProcessor:

public NimbusJwtDecoderJwkSupport(JwtProcessor<SecurityContext> jwtProcessor) {
    this.jwtProcessor = jwtProcessor;
}

or

public class NimbusJwtDecoder(JwtProcessor<SecurityContext> jwtProcessor) {
    this.jwtProcessor = this.jwtProcessor;
}

// and

private NimbusJwtDecoder delegate;

public class NimbusJwtDecoderJwkSupport(String jwkSetUrl) {
    JwtProcessor<SecurityContext> jwtProcessor = // .... configure
    this.delegate = new NimbusJwtDecoder(jwtProcessor);
}

Either of these would make it possible to:

  1. Write tests that do not depend on a legitimate static Jwt and Jwk Set to be provided, simplifying unit tests
  2. Provide for easier configuration for users who want to configure Nimbus themselves outside of Spring Security's guidance.
@jgrandja jgrandja added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) JWT-JOSE labels Aug 8, 2018
@jzheaux jzheaux mentioned this issue Aug 16, 2018
Merged
@DarrenForsythe
Copy link
Contributor

This would help greatly in areas where IDP isn't providing the Key's via the jwks url, which is poor but painful to workaround in 5.1. Currently having to copy the the decoder to be able to set a custom keyset.

 X509Certificate certificate = (X509Certificate) CertificateFactory.getInstance("X509") //
                        .generateCertificate(
                                new URL(https://public-signing-key);

                RSAKey jwk = new RSAKey.Builder((RSAPublicKey) certificate.getPublicKey()).keyID("signing-cert")
                        .build();
                final JWKSet jwkSet = new JWKSet(jwk);
                JWKSource keySource = new ImmutableJWKSet(jwkSet);
                ConfigurableJWTProcessor jwtProcessor = new DefaultJWTProcessor();
                JWSAlgorithm expectedJWSAlg = JWSAlgorithm.RS384;

                JWSKeySelector keySelector = new JWSVerificationKeySelector(expectedJWSAlg, keySource);
                jwtProcessor.setJWSKeySelector(keySelector1);

                final JWT jwt = JWTParser.parse(s);
                JWTClaimsSet claimsSet = jwtProcessor1.process(jwt, null);

//rest of the impl from Nimbus decoder

@jzheaux jzheaux self-assigned this Oct 10, 2018
This was referenced Oct 10, 2018
Merged
Closed
@jgrandja jgrandja added this to the 5.2.x milestone Oct 19, 2018
@jzheaux jzheaux modified the milestones: 5.2.x, 5.2.0.M1 Oct 30, 2018
jzheaux added a commit to jzheaux/spring-security that referenced this issue Nov 12, 2018
@jzheaux
Low-level Nimbus Jwt Decoder
a74276e 
Introduces a JwtDecoder which takes a raw Nimbus JWTProcessor
configuration.

Fixes: spring-projectsgh-5648
rwinch pushed a commit that referenced this issue Nov 14, 2018
@jzheaux @rwinch
Low-level Nimbus Jwt Decoder
fbcf48c 
Introduces a JwtDecoder which takes a raw Nimbus JWTProcessor
configuration.

Fixes: gh-5648
jer051 pushed a commit to jer051/spring-security that referenced this issue Nov 21, 2018
@jzheaux
Low-level Nimbus Jwt Decoder
ec81835 
Introduces a JwtDecoder which takes a raw Nimbus JWTProcessor
configuration.

Fixes: spring-projectsgh-5648
@jgrandja jgrandja mentioned this issue Jan 7, 2019
Closed
jzheaux added a commit that referenced this issue Jul 30, 2020
@jzheaux @Budlee
Polish to Avoid NPE
90e5f45 
Issue gh-5648

Co-authored-by: MattyA <[email protected]>
jzheaux added a commit that referenced this issue Jul 30, 2020
@jzheaux @Budlee
Polish to Avoid NPE
f369593 
Issue gh-5648

Co-authored-by: MattyA <[email protected]>
jzheaux added a commit that referenced this issue Jul 31, 2020
@jzheaux @Budlee
Polish to Avoid NPE
510d1b8 
Issue gh-5648

Co-authored-by: MattyA <[email protected]>
jzheaux added a commit that referenced this issue Jul 31, 2020
@jzheaux @Budlee
Polish to Avoid NPE
acfe4bd 
Issue gh-5648

Co-authored-by: MattyA <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0.M1
Development

Successfully merging a pull request may close this issue.

Add NimbusJwtDecoder jzheaux/spring-security
3 participants
@jzheaux @jgrandja @DarrenForsythe