2

I am trying to validate a JWT token from springboot generated by one of my custom apigee proxy. Wondering whether I can use spring security and use Apigee as authorization server to validate JWT?

Here is my web security configuration

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            .anyRequest()
            .authenticated()
            .and()
            .oauth2ResourceServer()
            .jwt();
}

spring.security.oauth2.resourceserver.jwt.issuer-uri={apigee_endpoint}

Log says

org.springframework.security.oauth2.jwt.JwtDecoderInitializationException: Failed to lazily resolve the supplied JwtDecoder instance
    at org.springframework.security.oauth2.jwt.SupplierJwtDecoder.wrapException(SupplierJwtDecoder.java:58) ~[spring-security-oauth2-jose-5.6.3.jar:5.6.3]
    at org.springframework.security.oauth2.jwt.SupplierJwtDecoder.decode(SupplierJwtDecoder.java:49) ~[spring-security-oauth2-jose-5.6.3.jar:5.6.3]
    at org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider.getJwt(JwtAuthenticationProvider.java:97) ~[spring-security-oauth2-resource-server-5.6.3.jar:5.6.3]

Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of "{issuer_url}"
    at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfiguration(JwtDecoderProviderConfigurationUtils.java:166) ~[spring-security-oauth2-jose-5.6.3.jar:5.6.3]
    at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getConfigurationForIssuerLocation(JwtDecoderProviderConfigurationUtils.java:79) ~[spring-security-oauth2-jose-5.6.3.jar:5.6.3]
    at org.springframework.security.oauth2.jwt.JwtDecoders.fromIssuerLocation(JwtDecoders.java:93) ~[spring-security-oauth2-jose-5.6.3.jar:5.6.3]
Sadeq Dousti
  • 3,346
  • 6
  • 35
  • 53
enthusiast
  • 355
  • 1
  • 5
  • 16
  • 1
    I tried this, but got stuck with the issuer-uri. spring.security.oauth2.resourceserver.jwt.issuer-uri= Not sure what would be the apigee issuer uri pattern. It keeps throwing error Caused by: java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of – enthusiast May 05 '22 at 10:15
  • Apparently the value of `{apigee_endpoint}` is `{issuer_url}`, but it must be a valid URI. – dur May 06 '22 at 09:37
  • Thats right. Any guidance how would that value be for apigee edge? – enthusiast May 06 '22 at 11:06
  • https://docs.apigee.com/api-platform/reference/policies/jwt-policies-overview – dur May 06 '22 at 11:44
  • The `issuer-uri` configures a standard discovery mechanism that the authorization server needs to implement. Typically, a well-known endpoint such as `https://apigee-host.com/.well-known/openid-configuration` must exist, and the issuer-uri property would be `https://apigee-host.com`. I'm not familiar with Apigee but it appears they do have features that ought to make this possible, however I can't find the docs that discuss it explicitly. – Steve Riesenberg May 06 '22 at 17:20
  • @Steve Thanks for the input. I created a well known endpoint and instead issuer uri I supplied the jwk-set-uri which works fine. – enthusiast May 09 '22 at 09:55

1 Answers1

0

I had this issue when we used two different versions of keycloak. The path for one was

${security-provider-host-port}/auth/realms/${security-provider-realm}

for another

${security-provider-host-port}/realms/${security-provider-realm}

So, check your spring.security.oauth2.resourceserver.jwt.issuer-uri path.

Sadeq Dousti
  • 3,346
  • 6
  • 35
  • 53
Anastasiya
  • 1
  • 1