-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JwtIssuerValidator should use URL.toExternalForm #6073
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
type: bug
A general bug
Milestone
Comments
rwinch
added
type: bug
A general bug
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
labels
Nov 13, 2018
jzheaux
added a commit
that referenced
this issue
Nov 13, 2018
Converts URLs to Strings before comparing them. Uses toString(), which delegates to toExternalForm(). Fixes: gh-6073
jzheaux
added a commit
to jzheaux/spring-security
that referenced
this issue
Nov 13, 2018
Since StringOrURI is a valid issuer, MappedJwtClaimSetConverter and JwtIssuerValidator no longer assume it. Issue: spring-projectsgh-6073
jzheaux
added a commit
that referenced
this issue
Nov 13, 2018
Since StringOrURI is a valid issuer, MappedJwtClaimSetConverter and JwtIssuerValidator no longer assume it. Issue: gh-6073
jzheaux
added a commit
that referenced
this issue
Nov 13, 2018
Update documentation that indicated the iss claim is proactively coerced into a URL. Issue: gh-6073
jzheaux
added a commit
that referenced
this issue
Nov 13, 2018
Update documentation that indicated the iss claim is proactively coerced into a URL. Issue: gh-6073
jer051
pushed a commit
to jer051/spring-security
that referenced
this issue
Nov 21, 2018
Converts URLs to Strings before comparing them. Uses toString(), which delegates to toExternalForm(). Fixes: spring-projectsgh-6073
jer051
pushed a commit
to jer051/spring-security
that referenced
this issue
Nov 21, 2018
Since StringOrURI is a valid issuer, MappedJwtClaimSetConverter and JwtIssuerValidator no longer assume it. Issue: spring-projectsgh-6073
jer051
pushed a commit
to jer051/spring-security
that referenced
this issue
Nov 21, 2018
Update documentation that indicated the iss claim is proactively coerced into a URL. Issue: spring-projectsgh-6073
Is there a workaround applicable to spring boot 2.1.0.RELEASE? |
@mathias-ewald This has been backported to 5.1.2, so the easiest may be to update your pom once that releases. Barring that, though, you can switch out the @Bean
public JwtDecoder jwtDecoder() {
NimbusJwtDecoderJwkSupport jwtDecoder = (NimbusJwtDecoderJwkSupport)
JwtDecoders.fromOidcIssuerLocation("https://your-issuer-location");
OAuth2TokenValidator<Jwt> withoutIssuer = JwtValidators.createDefault();
OAuth2TokenValidator<Jwt> yourIssuerValidator = // ... your implementation
DelegatingOAuth2TokenValidator<Jwt> jwtValidator =
new DelegatingOAuth2TokenValidator<Jwt>(withoutIssuer, yourIssuerValidator);
jwtDecoder.setJwtValidator(jwtValidator);
return jwtDecoder;
} While not precisely the same scenario, we demoed an example of customizing validation at Spring One that you might find helpful as well. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
type: bug
A general bug
Summary
There is a bug in
JwtIssuerValidator
because it usesURL.equals
which is bad for two reasons:Related: oktadev/okta-spring-webflux-react-example#9
The text was updated successfully, but these errors were encountered: