Spring OAuth2 with JWT - Cannot convert access token to JSON When Separating Auth and Resource Servers

后端 未结 3 1583
深忆病人
深忆病人 2021-01-11 11:29

I am looking to use Spring Boot to create an OAuth2 Authentication server that could be used by multiple Resource server. Consequently, I am needing to create the two server

相关标签:
3条回答
  • 2021-01-11 12:09

    In the Resource Server and Oauth Server both you should use both verifier key and signing key.

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setVerifierKey(signingKey);
        converter.setSigningKey(signingKey);
        return converter;
    }
    
    0 讨论(0)
  • 2021-01-11 12:24

    The issue is, in the Resource Server you should use verifier key instead of signing key.

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setVerifierKey(signingKey);
        return converter;
    }
    

    Edit 01/05: Downloaded the source code that you have referred in your post (link) and separated the Resource Server Component into an independent App

    Have it cross checked if you have all the below entries in the application.properties

    I am suspecting that you might have missed some config entries in the application.properties

    After this, when I hit the Resource Server with the JWT token, it returns proper response

    One Clarification: Also in this example, they are using symmetric Key for encrypting the JWT token. Hence, even in the Resource Server, in the accessTokenConverter method, setSigningKey should be used.setVerifierKey will be used when an asymmetric key is used for encryption

    I saw you had posted another question on the same topic. Your understanding is correct. JWT token can be used by multiple Resource Servers.

    0 讨论(0)
  • 2021-01-11 12:28

    First you must verify if the JWT is using asymmetric key or symmetric key. As @Child said, setVerifierKey will be used when an asymmetric key is used for encryption.

    Second, make sure PublicKey has been encoded to string in the correct way:

    import java.security.PublicKey;
    import java.util.Base64;
    
    PublicKey publicKey = getPublicKey();
    String strPublicKey = Base64.getEncoder().encodeToString(publicKey.getEncoded());`
    

    Third, make sure that the string-key passed to the setVerifierKey is formatted as below (you can test it here):

    String verifierKey = String.format("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", strPublicKey);
    converter.setVerifierKey(verifierKey);
    

    If in doubt, I recommend this article.

    0 讨论(0)
提交回复
热议问题