Skip to content

Nimbus Jwt decoders should not force SignedJWT #7034

New issue
New issue
Closed
Closed
Nimbus Jwt decoders should not force SignedJWT#7034
Assignees
jzheaux
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Milestone
5.2.0.M4
@jzheaux

Description

@jzheaux
jzheaux
opened on Jun 25, 2019

When an application injects a JWTProcessor into NimbusJwtDecoder:

ConfigurableJWTProcessor<SecurityContext> jwtProcessor = ...;
NimbusJwtDecoder decoder = new NimbusJwtDecoder(jwtProcessor);

it's evident that the application knows what it's doing and what types of JWTs it cares to accept.

Additionally, JWTProcessor does its own type checking, disallowing plain JWTs, and erroring if there isn't sufficient configuration for an incoming SignedJWT or EncryptedJWT to be processed.

Because JWTProcessor already tests these scenarios, there is little gained from NimbusJwtDecoder adding its own checks before delegating.

NimbusJwtDecoder should change from:

if (token instanceof SignedJWT) {
    // ... process the token
}
throw exception;

to

if (token instanceof PlainJWT) {
    throw exception;
}
// ... process the token

And likewise for NimbusReactiveJwtDecoder.

Note that Nimbus does check on its own for a signature of "none", but due to #5457, Spring Security should keep checking for PlainJWTs.

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions