Skip to content

Bug with JwtValidators.createDefaultWithIssuer(String)? #9136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cmouttet opened this issue Oct 16, 2020 · 1 comment
Closed

Bug with JwtValidators.createDefaultWithIssuer(String)? #9136

cmouttet opened this issue Oct 16, 2020 · 1 comment
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Milestone
5.5.0-M1

Comments

@cmouttet
Copy link
Contributor

I found an odd behavior with JWT parsing and JwtValidators.

Scenario:

  • Spring Boot OIDC client (for now a tiny web app, only displaying logged in user and some OIDC objects provided by Spring)
  • Custom JwtDecoderFacotry<ClientRegistration> for ID-Token validation
  • JwtValidatorFactory based on JwtValidators.createDefaultWithIssuer(String)

This worked well with Spring Boot version <= 2.2.10.

Debugging:

  • NimbusJwtDecoder (JAR spring-security-oauth2-jose) uses claim set converters. The 'iss' (issuer) claim is handled as URL.
  • JwtIssuerValidator (internally created by JwtValidators.createDefaultWithIssuer(String)) wraps a JwtClaimValidator<String>.
  • this one finally calls equals() that is always false - it compares String with URL.

My current workaround is not calling JwtValidators.createDefaultWithIssuer() but just using the validators new JwtTimestampValidator() and an own implementation of OAuth2TokenValidator<Jwt> (with wrapping JwtClaimValidator<URL>).

Anyone else having trouble with this?

--Christian
@cmouttet cmouttet added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Oct 16, 2020
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 16, 2020
@jzheaux
Copy link
Contributor

jzheaux commented Oct 16, 2020

Thanks for the report, @cmouttet.

While OIDC says the iss claim is a URL, JWT says it's a StringOrURI. The difference in the RFCs is probably the source of the differing behavior.

I think it makes sense for JwtIssuerValidator to work for both. Would you be able to submit a PR that updates it to convert the issuer to a String before doing the comparison? I think that would mean no longer wrapping JwtClaimValidator.

@jzheaux jzheaux self-assigned this Oct 16, 2020
@cmouttet cmouttet mentioned this issue Oct 17, 2020
Merged
cmouttet added a commit to cmouttet/spring-security that referenced this issue Oct 27, 2020
@cmouttet
JwtIssuerValidator handles issuer (iss) claim values as Strings and URLs
3a90c1d 
- NimbusJwtDecoder uses claim set converters: issuer claim is converted to an URL object
- JwtIssuerValidator (created by JwtValidators.createDefaultWithIssuer(String)) wraps a JwtClaimValidator<String>
- because of different data types, equal() is always false

This change allows both Strings and URLs as values of the issuer

Closes spring-projectsgh-9136
@jzheaux jzheaux added this to the 5.5.0-M1 milestone Nov 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Projects
None yet
Milestone
5.5.0-M1
Development

No branches or pull requests
2 participants
@cmouttet @jzheaux