forked from spring-projects/spring-boot
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow multiple JWS algorithms to be configured
- Loading branch information
1 parent
29cd148
commit ee8be24
Showing
5 changed files
with
163 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,6 +23,7 @@ | |
import java.util.Base64; | ||
import java.util.Collections; | ||
import java.util.List; | ||
import java.util.Set; | ||
import java.util.function.Supplier; | ||
|
||
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean; | ||
|
@@ -78,15 +79,20 @@ static class JwtConfiguration { | |
@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri") | ||
ReactiveJwtDecoder jwtDecoder() { | ||
NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder = NimbusReactiveJwtDecoder | ||
.withJwkSetUri(this.properties.getJwkSetUri()) | ||
.jwsAlgorithm(SignatureAlgorithm.from(this.properties.getJwsAlgorithm())).build(); | ||
.withJwkSetUri(this.properties.getJwkSetUri()).jwsAlgorithms(this::jwsAlgorithms).build(); | ||
String issuerUri = this.properties.getIssuerUri(); | ||
Supplier<OAuth2TokenValidator<Jwt>> defaultValidator = (issuerUri != null) | ||
? () -> JwtValidators.createDefaultWithIssuer(issuerUri) : JwtValidators::createDefault; | ||
nimbusReactiveJwtDecoder.setJwtValidator(getValidators(defaultValidator)); | ||
return nimbusReactiveJwtDecoder; | ||
} | ||
|
||
private void jwsAlgorithms(Set<SignatureAlgorithm> signatureAlgorithms) { | ||
for (String algorithm : this.properties.getJwsAlgorithms()) { | ||
signatureAlgorithms.add(SignatureAlgorithm.from(algorithm)); | ||
} | ||
} | ||
|
||
private OAuth2TokenValidator<Jwt> getValidators(Supplier<OAuth2TokenValidator<Jwt>> defaultValidator) { | ||
OAuth2TokenValidator<Jwt> defaultValidators = defaultValidator.get(); | ||
List<String> audiences = this.properties.getAudiences(); | ||
|
@@ -105,8 +111,12 @@ private OAuth2TokenValidator<Jwt> getValidators(Supplier<OAuth2TokenValidator<Jw | |
NimbusReactiveJwtDecoder jwtDecoderByPublicKeyValue() throws Exception { | ||
RSAPublicKey publicKey = (RSAPublicKey) KeyFactory.getInstance("RSA") | ||
.generatePublic(new X509EncodedKeySpec(getKeySpec(this.properties.readPublicKey()))); | ||
if (this.properties.getJwsAlgorithms() == null || this.properties.getJwsAlgorithms().size() != 1) { | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
wilkinsona
Author
Owner
|
||
throw new IllegalStateException( | ||
"Creating a JWT decoder using a public key requires exactly one JWS algorithm"); | ||
} | ||
NimbusReactiveJwtDecoder jwtDecoder = NimbusReactiveJwtDecoder.withPublicKey(publicKey) | ||
.signatureAlgorithm(SignatureAlgorithm.from(this.properties.getJwsAlgorithm())).build(); | ||
.signatureAlgorithm(SignatureAlgorithm.from(this.properties.getJwsAlgorithms().get(0))).build(); | ||
jwtDecoder.setJwtValidator(getValidators(JwtValidators::createDefault)); | ||
return jwtDecoder; | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Do we need this null check? I'm not sure if we should fail on
null
because shouldn't that mean we should use the Spring Security default?