Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nimbus Jwt decoders should not force SignedJWT #7034

jzheaux opened this issue Jun 25, 2019 · 0 comments


Copy link

commented Jun 25, 2019

When an application injects a JWTProcessor into NimbusJwtDecoder:

ConfigurableJWTProcessor<SecurityContext> jwtProcessor = ...;
NimbusJwtDecoder decoder = new NimbusJwtDecoder(jwtProcessor);

it's evident that the application knows what it's doing and what types of JWTs it cares to accept.

Additionally, JWTProcessor does its own type checking, disallowing plain JWTs, and erroring if there isn't sufficient configuration for an incoming SignedJWT or EncryptedJWT to be processed.

Because JWTProcessor already tests these scenarios, there is little gained from NimbusJwtDecoder adding its own checks before delegating.

NimbusJwtDecoder should change from:

if (token instanceof SignedJWT) {
    // ... process the token
throw exception;


if (token instanceof PlainJWT) {
    throw exception;
// ... process the token

And likewise for NimbusReactiveJwtDecoder.

Note that Nimbus does check on its own for a signature of "none", but due to #5457, Spring Security should keep checking for PlainJWTs.

@jzheaux jzheaux self-assigned this Jun 25, 2019

@jzheaux jzheaux added this to the 5.2.0.RC1 milestone Jun 25, 2019

@jzheaux jzheaux changed the title Nimbus Jwt decoders should not enforce opinion on JWT types when fully custom JWTProcessor is provided Nimbus Jwt decoders should not force SignedJWT Jun 25, 2019

@jzheaux jzheaux closed this in 37d108c Jun 25, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.