I am looking to use Spring Boot to create an OAuth2 Authentication server that could be used by multiple Resource server. Consequently, I am needing to create the two server
In the Resource Server and Oauth Server both you should use both verifier key and signing key.
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setVerifierKey(signingKey);
converter.setSigningKey(signingKey);
return converter;
}
The issue is, in the Resource Server you should use verifier key instead of signing key.
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setVerifierKey(signingKey);
return converter;
}
Edit 01/05: Downloaded the source code that you have referred in your post (link) and separated the Resource Server Component into an independent App
Have it cross checked if you have all the below entries in the application.properties
I am suspecting that you might have missed some config entries in the application.properties
After this, when I hit the Resource Server with the JWT token, it returns proper response
One Clarification: Also in this example, they are using symmetric Key for encrypting the JWT token. Hence, even in the Resource Server, in the accessTokenConverter method, setSigningKey should be used.setVerifierKey will be used when an asymmetric key is used for encryption
I saw you had posted another question on the same topic. Your understanding is correct. JWT token can be used by multiple Resource Servers.
First you must verify if the JWT is using asymmetric key or symmetric key. As @Child said, setVerifierKey
will be used when an asymmetric key is used for encryption.
Second, make sure PublicKey
has been encoded to string in the correct way:
import java.security.PublicKey;
import java.util.Base64;
PublicKey publicKey = getPublicKey();
String strPublicKey = Base64.getEncoder().encodeToString(publicKey.getEncoded());`
Third, make sure that the string-key passed to the setVerifierKey
is formatted as below (you can test it here):
String verifierKey = String.format("-----BEGIN PUBLIC KEY-----\n%s\n-----END PUBLIC KEY-----", strPublicKey);
converter.setVerifierKey(verifierKey);
If in doubt, I recommend this article.