3

I have an OpenID provider (openam) running locally. I am using a self-signed certificate and the jwks URL is @ https://localhost:8443/openam/oauth2/connect/

Due to the SSL certificate being self-signed, I am getting an SSLHandshake exception, when the OIDC token is decoded. I tried using a custom rest template, by creating a custom JwtDecoder (as suggested in https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2resourceserver-jwt-decoder-dsl )

@Bean
public JwtDecoder jwtDecoder() {
NimbusJwtDecoder.withJwkSetUri("https://localhost:8443/openam/oauth2/connect").restOperations(myCustomRestTemplateThatAllowsSelfSignedCerts()).build();
}

But this decoder does not seem to be used. The OidcIdTokenDecoderFactory is being used to create the decoder. This class does not seem to allow us to pass in a custom jwtDecoder.

Why does the oauthResourceServer().jwt().decoder(customDecoder()) not work? How can i get the decoder to work with a jwks URI that is a website with a self-signed certificate?

One option i am thinking of is to add the self-signed certificate to the cacerts folder of my jdk.

kellyfj
  • 6,586
  • 12
  • 45
  • 66
prabhakar thopa
  • 41
  • 1
  • 4
  • Do you know from which filter the OidcIdTokenDecoderFactory is being used? – NatFar Jan 15 '20 at 14:37
  • from my eclipse debugger, i see the call is from OAuth2LoginAuthenticationFilter.attemptAuthentication Line185 -> ProviderManager.authenticate line175 -> OidcAuthorizationCodeAuthenticationProvider.authenticate line 161 -> OidcAuthorizationCodeAuthenticationProvider.createOidcToken line 226 ->OidcIdTokenDecoderFactory.createDecoder line 66 – prabhakar thopa Jan 15 '20 at 16:19
  • oauthResourceServer().jwt().decoder(customDecoder()) doesn't work because you're most likely using .oauth2Login() – NatFar Jan 15 '20 at 16:22
  • yes.. i am running both the client and the resource server inside the same service.. ie i have 1 class extending WebSecurityConfigurerAdapter for the client which uses the .oauth2Login and another WEbSecurityConfigurerAdapater which uses the .oauth2ResourceServer dsl for the resource server.. – prabhakar thopa Jan 15 '20 at 16:26
  • The "problem" (custom JwtDecoder not being used) isn't with the resource server; it's in the client side – NatFar Jan 15 '20 at 17:06
  • thanks.. your clarification helped me see that the problem is on the client side. i now see that the token sent back from the authorization server is being verified for signature by the client and it is using OidcIdTokenDecoderFactory to decode the token and it is failing here.. so i still have an issue of how to customize this factory to accept self signed certificates for jwks uri. – prabhakar thopa Jan 15 '20 at 17:24

1 Answers1

6

OAuth2LoginAuthenticationFilter is calling OidcAuthorizationCodeAuthenticationProvider for OpenID authentication. To change the JwtDecoder that it uses, you should have a JwtDecoderFactory bean.

For example, you might have something like:

@Bean
public JwtDecoderFactory<ClientRegistration> customJwtDecoderFactory() {
    return new CustomJwtDecoderFactory();
}

static class CustomJwtDecoderFactory implements JwtDecoderFactory<ClientRegistration> {
    public JwtDecoder createDecoder(ClientRegistration reg) {
        //...

        return new CustomJwtDecoder();
    }
}

Hopefully this answers at least part of your question.

NatFar
  • 2,090
  • 1
  • 12
  • 29