Can I disable issuer validation upon resource server startup?

Question

I'm trying to set up a resource server using Spring Security and now I want to run it on my machine which has to go through a SSH tunnel to reach the token issuer, so the URI my app ends up calling is something like http://localhost:1234/.well-known/openid-configuration. This endpoint, however, returns something like https://my-auth-server.my-domain.com for the issuer and that creates problems when the framework attempts to check that the two URIs are equal during startup.

I've been able to track it down to JwtDecoderProviderConfigurationUtils where this check happens but I just can't find any hooks to manipulate it:

JwtDecoders doesn't expose any properties that instructs it to not validate the issuer on startup (source file).
JwtDecoderProviderConfigurationUtil uses its own private RestTemplate so I can't add any interceptors to it.
JwtDecoderProviderConfigurationUtil is package-private so I can't access any of its methods in order to compose my own version of the JwtDecoder.

I'd be happy to receive any pointers about how I can get around this! I'd rather not have to duplicate a whole bunch of code just to get this to work.

No, I'm afraid not. In my case, circumstances changed so it ended up not being a problem after all. — Thomas Kåsene, Nov 29 '20 at 16:43
How to you change your circumstance? I am also facing the same iseue! Thanks! — ch271828n, May 10 '21 at 13:52

score 0 · Answer 1 · answered Jul 23 '20 at 19:53

You can create a custom JwtDecoder which does not include the: JwtIssuerValidator

OAuth2TokenValidator<Jwt> defaultValidators = JwtValidators.createDefault()

Below is an e.g. if you wanted to create it with your own issuer URL you want to validate i.e. using the

OAuth2TokenValidator<Jwt> defaultValidators = JwtValidators
        .createDefaultWithIssuer("http://localhost:8081/auth/realms/CryptoInc");

i.e.

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors().and()
        .authorizeRequests()
            .anyRequest().authenticated()
            .and().oauth2ResourceServer()
                .jwt()
                    .decoder(jwtTokenDecoder());
}

private JwtDecoder jwtTokenDecoder() {
    NimbusJwtDecoderJwkSupport decoder = (NimbusJwtDecoderJwkSupport)
            JwtDecoders.fromOidcIssuerLocation("http://localhost:8081/auth/realms/CryptoInc");
    OAuth2TokenValidator<Jwt> defaultValidators = JwtValidators
            .createDefault();
    OAuth2TokenValidator<Jwt> delegatingValidator = 
            new DelegatingOAuth2TokenValidator<>(defaultValidators, new CryptoJwtTokenValidator());
    decoder.setJwtValidator(delegatingValidator);
    return decoder;
}

Thanks, but that doesn't fix the problem because your code still uses `JwtDecoders.withProviderConfiguration` which is where this check happens - it's not the `JwtIssuerValidator` that fails. — Thomas Kåsene, Jul 24 '20 at 12:57

Can I disable issuer validation upon resource server startup?

1 Answers1