Spring boot Oauth2 resource server Jwt Encoder

dan

I'm using spring boot starter oauth2 resource server dependency for my Microservice. I set the issuer Url and the app can reach the issuer. the problem is App can't decode the JWT token that I'm giving to it. im getting this error:

2020-12-16 05:37:56.934 DEBUG 26116 --- [nio-8500-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2020-12-16 05:37:56.934 DEBUG 26116 --- [nio-8500-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2020-12-16 05:38:00.012 DEBUG 26116 --- [nio-8500-exec-2] o.s.security.web.FilterChainProxy        : Securing GET /user/me
2020-12-16 05:38:00.012 DEBUG 26116 --- [nio-8500-exec-2] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2020-12-16 05:38:00.020 DEBUG 26116 --- [nio-8500-exec-2] o.s.s.o.s.r.a.JwtAuthenticationProvider  : Failed to authenticate since the JWT was invalid
2020-12-16 05:38:00.022 DEBUG 26116 --- [nio-8500-exec-2] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2020-12-16 05:38:00.022 DEBUG 26116 --- [nio-8500-exec-2] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

my configuration:

@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
    String issuerUri;
    @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
    String jwksUrl;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests(authorizeRequests ->
                        authorizeRequests
                                .antMatchers("/services").hasAuthority("SCOPE_services:read")
                                .anyRequest().authenticated()
                )
                .oauth2ResourceServer(oauth2ResourceServer ->
                        oauth2ResourceServer
                                .jwt(jwt ->
                                        jwt.decoder(JwtDecoders.fromIssuerLocation(issuerUri)))
                );
    }

I think the problem is the JWT secret which is base64 encoded. is there a way to change that from FusionAuth? to don't encode the secret with base64?

Originally posted here: https://github.com/FusionAuth/fusionauth-issues/issues/1046

dan

The JwtDecoders.fromIssuerLocation will attempt to resolve the jwks_uri from the OpenID Connect discovery document found using the issuer URI.

https://github.com/spring-projects/spring-security/blob/848bd448374156020210c329b886fca010a5f710/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoders.java#L119

The FusionAuth JSON Web Key Set (JWKS) only publishes the public key from asymmetric key pairs. This means there are no public keys published and the Spring boot library cannot verify the token signature.

For example, if your issuerUri is https://example.com then the OpenID Discovery URL is https://example.com/.well-known/openid-configuration and the value for jwks_uri found in the JSON response from that URL will be https://example.com/.well-known/jwks.json. If you hit that URL you will see no public keys are being returned, this is the JSON that the library is consuming in an attempt to build the public key necessary to validate the JWT signature.

To use this strategy then you'll need to configure FusionAuth to sign the JWT using an RSA or ECDSA key pair instead of the default HMAC key which is symmetric.

Generate a new RSA or ECDA key pair in Key Master (Settings > Key Master) and then ensure you have your JWT signing configuration use that key. The primary JWT signing configuration will be found in the tenant, with optional application level overrides.

https://fusionauth.io/docs/v1/tech/core-concepts/tenants/#jwt
https://fusionauth.io/docs/v1/tech/core-concepts/applications/#jwt