-
Notifications
You must be signed in to change notification settings - Fork 5.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Jwt decoding should support multiple algorithms #6883
Comments
Would it be possible to implement a public class DelegatingJwtDecoder implements JwtDecoder {
private List<DelegatedJwtDecoder> decoders;
@Override
public Jwt decode(String token) throws JwtException {
String decodedHeader = decodeHeader(token);
String signingAlg = getSigningAlgorithm(decodedHeader);
DelegatedJwtDecoder jwtDecoder = findDecoder(signingAlg);
return jwtDecoder.decode(token);
}
private String decodeHeader(String token) {
// decode the Base64 encoded header of the token
}
private String getSigningAlgorithm(String tokenHeader) {
// get the algorithm from the token header
}
private DelegatedJwtDecoder findDecoderSupportingAlgorithm(String algorithm) {
return decoders.stream()
.filter(decoder -> decoder.supportsAlgorithm(algorithm))
.findFirst()
.orElseThrow(() -> new IllegalArgumentException("No decoder found that support the signing algorithm!"));
}
} The public interface DelegatedJwtDecoder extends JwtDecoder {
boolean supportsAlgorithm(String algorithm);
} |
@dnl50 I believe the example implementation you provided is similar to what @rwinch has suggested. However, I don't believe we need to introduce a new interface Instead, we would provide a new implementation of |
According to spring security reference, the algorithm can be override by providing a JwtDecoder bean, but it doesn't work after I did that because the initialization of NimbusJwtDecoderJwkSupport locates at line 212 of OidcAuthorizationCodeAuthenticationProvider.java |
@compfantasy The PR #6495 introduced support in 5.2.0.M2 for a configurable JWS algorithm via NOTE: |
@jgrandja Does this mean that I just need upgrade current version of spring-security-oauth2-jose-5.1.4.RELEASE to 5.2.0.M2, then configure jwsAlgorithm in client registration? do you have a simple demo project regarding this change?thanks |
@jgrandja I already upgraded the version of spring-security-oauth2-client and spring-secuirty-oauth2-core to 5.2.0.M2, I can see there is a class named OidcIdTokenDecoderFactory, but how can i use setJwsAlgorithmResolver() to make JwsAlgorithm working in the spring context? I tried to create a new OidcTokenDecoderFactory bean and set the JwsAlgorithm to RS512, it doesn't work, and I tried to create a new JwtDecoder bean, it doesn't work for me as well, very appreciate if you can help here. |
@compfantasy Can you please put together a minimal sample so I can see what you have so far and share via a GitHub repository. This will be the most effective way to help resolve this for you. |
Do I need a CustomJwtDecoderFactory like
then I create different decoders as
the problem is how |
Summary
We should add a strategy where Jwt decoders can delegate to other Jwt decoders based upon the algorithm that is in the JWT that was passed into it. This would allow supporting multiple algorithms returned by an IdP as discussed in #5465 (comment)
A possible way to do this would be to have a
JwtDecoder
implementation that calls otherJwtDecoder
s, though note this might require decoding the JWT twice.The text was updated successfully, but these errors were encountered: