Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
NimbusJwtDecoderJwkSupport only sets 'application/json' Accept header #7290
The NimbusJwtDecoderJwkSupport is not able to retrieve the JWK Set because it gets a HTTP 406 (Not Accepted). It tries to retrieve it from an endpoint that only produces the media-type application/jwk-set+json. This media-type is the proper media-type for this kind of endpoint as specified in https://tools.ietf.org/html/rfc7517. This new behaviour is introduced around the release of version 5.1.
The NimbusJwtDecoderJwkSupport gets a HTTP 406 when trying to retrieve a JWK Set from an endpoint that only produces the media-type application/jwk-set+json.
The NimbusJwtDecoderJwkSupport gets a HTTP 200 when trying to retrieve a JWK Set from an endpoint that only produces the media-type 'application/jwk-set+json'.
The endpoint produces only the media-type application/jwk-set+json. This looks like this in the code:
It seems the change in behaviour is introduced here:
16fe1c5 (line 183)
In this commit the RestOperationsResourceRetriever is introduced in the NimbusJwtDecoderJwkSupport class. Before this commit a DefaultResourceRetriever was used. The latter uses an HttpURLConnection to retrieve the JWK Set (WITHOUT an Accept request header). The former uses a RestOperations (WITH an Accept request header with the value 'application/json;charset=UTF-8').
I tried to find a public endpoint that only produces the media-type application/jwk-set+json. I was not able able to find one and therefore I cannot provide a working sample to demonstrate this problem.
Add the media-type 'application/jwk-set+json' to the Accept request header in the RestOperationsResourceRetriever.