Skip to content

JWT decoder config#887

Merged
leoraba merged 2 commits into
developfrom
fix/decode-jwt-keys
May 5, 2025
Merged

JWT decoder config#887
leoraba merged 2 commits into
developfrom
fix/decode-jwt-keys

Conversation

@leoraba
Copy link
Copy Markdown
Contributor

@leoraba leoraba commented May 5, 2025

Pull Request

Description

This PR refactors the JwtDecoder configuration to provide a custom bean that dynamically selects between using a public key location or a JWK Set URL.

It considers two environment variables:

  • The SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_PUBLIC_KEY_LOCATION variable points to a public key file. This option is used if both environment variables are set.

  • The SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI variable points to a JWK Set URL.

Fixes the Issue:

  • Application fails to decode a JWT due to a conflict in the default configuration, where two resources are being configured for JWT decoding.

Type of change

Please choose only the relevant options and remove the others.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration.

  • Tested locally, set an environment variable to override the default configuration, making sure a JWT token is decoded successfully.

Checklist:

You do not need to fullfill all requirements of this checklist, select all that apply:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • [] I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • I have checked my code and corrected any misspellings

justincorrigible
justincorrigible reviewed May 5, 2025
View reviewed changes
Comment thread song-server/src/main/java/bio/overture/song/server/config/JwtDecoderConfig.java
Comment on lines +37 to +49
public JwtDecoder jwtDecoder() {
try {
if (isPublicKeyConfigured()) {
return NimbusJwtDecoder.withPublicKey(loadRsaPublicKey()).build();
} else if (isJwkSetUriConfigured()) {
return NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
} else {
throw new IllegalStateException("Neither public-key-location nor jwk-set-uri is configured.");
}
} catch (Exception e) {
throw new RuntimeException("Failed to configure JwtDecoder", e);
}
}
Copy link
Copy Markdown
Member

@justincorrigible justincorrigible May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

worth documenting this somewhere (readme?)

Copy link
Copy Markdown
Contributor Author

@leoraba leoraba May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added comments on the application.yml section, where default secure profile is set.

@leoraba leoraba merged commit a06c7cf into develop May 5, 2025
2 checks passed
@leoraba leoraba deleted the fix/decode-jwt-keys branch May 5, 2025 19:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justincorrigible justincorrigible justincorrigible approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leoraba @justincorrigible