Skip to content

NimbusJwtDecoder.withPublicKey() does not work with JWT that contains kid #7049

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
firnkes opened this issue Jun 28, 2019 · 1 comment · Fixed by #7055
Closed

NimbusJwtDecoder.withPublicKey() does not work with JWT that contains kid #7049

firnkes opened this issue Jun 28, 2019 · 1 comment · Fixed by #7055
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Milestone
5.2.0.M4

Comments

@firnkes
Copy link

firnkes commented Jun 28, 2019
edited
Loading

Summary

When using NimbusJwtDecoder.withPublicKey() to decode a JWT token that contains a kid the decoding always fails as the provided PublicKey does not match.

Actual Behavior

Signed JWT rejected: Another algorithm expected, or no matching key(s) found is raised, because no match key is found (JWT token contains key, provided public key not).

Expected Behavior

As I specify the public key to used, the jwt token should be tried to be verified using this key. There is no need to find a matching key.

Version

5.2.0.M2

Sample

String verificationKey = "someKey";
String token = "someTokenWithKid";

KeyFactory kf = KeyFactory.getInstance("RSA");
byte[] decoded = Base64.getDecoder().decode(verificationKey);
EncodedKeySpec keySpec = new X509EncodedKeySpec(decoded);
RSAPublicKey publicKey = (RSAPublicKey) kf.generatePublic(keySpec);
NimbusJwtDecoder decoder = NimbusJwtDecoder.withPublicKey(publicKey).build();
decoder.decode(token);
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 28, 2019
@jzheaux jzheaux mentioned this issue Jun 28, 2019
Merged
@jzheaux
Copy link
Contributor

jzheaux commented Jun 28, 2019

Thanks for the report, @firnkes, I agreed that this would be an improvement on the default Nimbus behavior.

I've submitted #7055 accordingly.

@jzheaux jzheaux self-assigned this Jun 28, 2019
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: improvement and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 28, 2019
@jzheaux jzheaux added this to the 5.2.0.RC1 milestone Jun 28, 2019
@jzheaux jzheaux mentioned this issue Jun 28, 2019
Closed
jzheaux added a commit to jzheaux/spring-security that referenced this issue Jun 28, 2019
@jzheaux
Single-key Key Selector
1d6922d 
Fixes: spring-projectsgh-7049
Fixes: spring-projectsgh-7056
jzheaux added a commit that referenced this issue Jun 28, 2019
@jzheaux
Single-key Key Selector
ce79ef2 
Fixes: gh-7049
Fixes: gh-7056
kostya05983 pushed a commit to kostya05983/spring-security that referenced this issue Aug 26, 2019
@jzheaux @kostya05983
Single-key Key Selector
ecafea2 
Fixes: spring-projectsgh-7049
Fixes: spring-projectsgh-7056
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Milestone
5.2.0.M4
Development

Successfully merging a pull request may close this issue.

Single-key Key Selector jzheaux/spring-security
3 participants
@jzheaux @spring-projects-issues @firnkes