Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NimbusJwtDecoderJwkSupport only sets 'application/json' Accept header #7290

Closed
BoukeNijhuis opened this issue Aug 21, 2019 · 3 comments

Comments

@BoukeNijhuis
Copy link
Contributor

commented Aug 21, 2019

Summary

The NimbusJwtDecoderJwkSupport is not able to retrieve the JWK Set because it gets a HTTP 406 (Not Accepted). It tries to retrieve it from an endpoint that only produces the media-type application/jwk-set+json. This media-type is the proper media-type for this kind of endpoint as specified in https://tools.ietf.org/html/rfc7517. This new behaviour is introduced around the release of version 5.1.

Actual Behavior

The NimbusJwtDecoderJwkSupport gets a HTTP 406 when trying to retrieve a JWK Set from an endpoint that only produces the media-type application/jwk-set+json.

Expected Behavior

The NimbusJwtDecoderJwkSupport gets a HTTP 200 when trying to retrieve a JWK Set from an endpoint that only produces the media-type 'application/jwk-set+json'.

Configuration

The endpoint produces only the media-type application/jwk-set+json. This looks like this in the code:
@GetMapping(value = "/jwk", produces = com.nimbusds.jose.jwk.JWKSet.MIME_TYPE)

Version

It seems the change in behaviour is introduced here:

16fe1c5 (line 183)

In this commit the RestOperationsResourceRetriever is introduced in the NimbusJwtDecoderJwkSupport class. Before this commit a DefaultResourceRetriever was used. The latter uses an HttpURLConnection to retrieve the JWK Set (WITHOUT an Accept request header). The former uses a RestOperations (WITH an Accept request header with the value 'application/json;charset=UTF-8').

Sample

I tried to find a public endpoint that only produces the media-type application/jwk-set+json. I was not able able to find one and therefore I cannot provide a working sample to demonstrate this problem.

Proposed solution

Add the media-type 'application/jwk-set+json' to the Accept request header in the RestOperationsResourceRetriever.

@jzheaux

This comment has been minimized.

Copy link
Contributor

commented Aug 21, 2019

Note that NimbusJwtDecoder in 5.2 likely exhibits the same behavior.

@jgrandja

This comment has been minimized.

Copy link
Collaborator

commented Aug 22, 2019

@BoukeNijhuis Thank you for the report!

I agree with your proposed solution...

Add the media-type application/jwk-set+json to the Accept request header in the RestOperationsResourceRetriever.

Would you be interested in submitting a PR?

@jgrandja jgrandja added this to the 5.2.0.RC1 milestone Aug 22, 2019

@jgrandja jgrandja changed the title NimbusJwtDecoderJwkSupport only accepts the media-type 'application/json' NimbusJwtDecoderJwkSupport only sets 'application/json' Accept header Aug 22, 2019

@BoukeNijhuis

This comment has been minimized.

Copy link
Contributor Author

commented Aug 23, 2019

I am interested in submitting a PR. I will try this today.

BoukeNijhuis added a commit to BoukeNijhuis/spring-security that referenced this issue Aug 23, 2019
BoukeNijhuis added a commit to BoukeNijhuis/spring-security that referenced this issue Aug 23, 2019
BoukeNijhuis added a commit to BoukeNijhuis/spring-security that referenced this issue Aug 23, 2019
BoukeNijhuis added a commit to BoukeNijhuis/spring-security that referenced this issue Aug 23, 2019
BoukeNijhuis added a commit to BoukeNijhuis/spring-security that referenced this issue Aug 23, 2019
BoukeNijhuis added a commit to BoukeNijhuis/spring-security that referenced this issue Aug 23, 2019
BoukeNijhuis added a commit to BoukeNijhuis/spring-security that referenced this issue Aug 25, 2019
BoukeNijhuis added a commit to BoukeNijhuis/spring-security that referenced this issue Aug 29, 2019

@jgrandja jgrandja closed this in dbd1819 Sep 3, 2019

jgrandja added a commit that referenced this issue Sep 3, 2019
AndreasKl added a commit to AndreasKl/spring-security that referenced this issue Sep 5, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.