-1

A question has arised to me when I've tried to use spring-boot-starter-oauth2-resource-server dependency and set up my service as a oauth2 resource service.

I've configured spring oauth2 resource server without spring.security.oauth2.resourceserver.jwt.issuer-uri neither jwk-set-uri properties.

Instead of that, I've instructed spring oauth2 resource server library how to decode JWT. I've just created an ReactiveJwtDecoder:

@Bean
public ReactiveJwtDecoder reactiveJwtDecoder() throws Exception {
    Mac mac = Mac.getInstance("HmacSHA256");
    SecretKeySpec secretKey = new SecretKeySpec("JAC1O17W1F3QB9E8B4B1MT6QKYOQB36V".getBytes(), mac.getAlgorithm());

    return NimbusReactiveJwtDecoder.withSecretKey(secretKey)
        .macAlgorithm(MacAlgorithm.HS256)
        .build();
}

With that, I'm able to validate jwt tokens.

Question arised in my mind is:

Acording to oauth rfc6749, "Accessing Protected Resources" section, says that:

The client accesses protected resources by presenting the access token to the resource server. The resource server MUST validate the access token and ensure that it has not expired and that its scope covers the requested resource. The methods used by the resource server to validate the access token (as well as any error responses) are beyond the scope of this specification but generally involve an interaction or coordination between the resource server and the authorization server.

Is spring oauth2 resource server library working well?

Alex
  • 4,987
  • 1
  • 8
  • 26
Jordi
  • 20,868
  • 39
  • 149
  • 333

1 Answers1

0

There is nothing wrong with such approach. The possible issue here is that you are using symmetric key. With this approach you are using the same key for both signing a token and validating its signature. It means you need to share the key used to sign tokens with all the applications involved in the authentication process that is not always possible and resource server has too much power.

To keep key on authorization service only, there is an option in the resources server to use special endpoint, exposed by authorization service, to validate the token.

Another approach would be to use asymmetric key pair to sign and validate tokens. In this case private key will be assigned to authorization service only and public key could be shared with all the applications involved in the authentication process.

@Bean
public ReactiveJwtDecoder jwtDecoder() throws GeneralSecurityException {
    RSAPublicKey key = (RSAPublicKey) KeyFactory.getInstance("RSA")
            .generatePublic(new X509EncodedKeySpec(getKeySpec(properties.getPublicKey())));
    return NimbusReactiveJwtDecoder.withPublicKey(key)
            .signatureAlgorithm(SignatureAlgorithm.from(properties.getSignatureAlgorithm()))
            .build();
}
Alex
  • 4,987
  • 1
  • 8
  • 26