Is there a simple Spring Boot dependency to replace Auth0 JWT and JWK-RSA dependencies?

Question

I'm trying to decode a JWT token issued by Keycloak in my Spring-Boot project using com.auth0.jawa-jwt and com.auth0.jwks-rsa dependencies in my pom.xml. These dependencies have version numbers and I've been asked to remove them in favor of spring boot dependencies that are automatically synced with the spring boot version we use.

We are using keycloak to get a JWT token on user login and using that JWT token to authenticate access to certain APIs via an interceptor. The part of the interceptor that decodes and verifies the token is as follows

DecodedJWT jwt = JWT.decode(token);
RSAPublicKey publicKey = keycloakValidateConfig.getPublicKeyMap(jwt);

Algorithm algorithm = Algorithm.RSA256(publicKey, null);
JWTVerifier verifier = JWT.require(algorithm).build();

verifier.verify(token);
if (!verifyIssuer(jwt)) {
    log.info("Unauthorized token issuer.");
    throw new BadRequestException();
}

private Boolean verifyIssuer(final DecodedJWT token) {
    for (String expectedIssuerRealm : AuthTokenValidationConstants.ISSUER_ARRAY) {
        String expectedIssuer = AuthTokenValidationConstants.KEYCLOAK_DOMAIN + expectedIssuerRealm;
        if (expectedIssuer.equals(token.getClaim("iss").asString())) {
            return true;
        }
    }
    return false;
}

The publicKey is being fetched from a config file that keeps a map -> if the public key already exists for the realm, it is served otherwise it is fetched from Keycloak. I have to now replace all this with a Spring Boot OAuth2 Client dependency.

I've tried to use the library but I'm not able to replace everything and have it run smoothly while also keeping it simple. For instance, using the previous dependency, I can decode the JWT without specifying issuers and check for issuers afterwards as the issuer can be one of four different Keycloak realms. I can also get the public key using this.

Would appreciate some help on how I can go about this - if there is a way to auto update the auth0 dependency to ensure that it is always compatible with the Spring Boot version/how I can use OAuth2 Client to do the same thing while keeping the code simple.

Thank you in advance!

I'm curious, why didn't the post below help or even answer your question? — ch4mp, May 17 '23 at 00:54

ch4mp · Answer 1 · 2023-05-16T23:51:43.643

0

spring-boot-starter-oauth2-resource-server is probably what you are looking for. Documentation here.

Also, I wrote thin wrappers around spring-boot-starter-oauth2-resource-server to further ease resource server configuration. Those starters are available from maven-central but versions are not managed by spring-boot, and as a consequence, it might not meet your requirements. Anyhow, the same repo contains many samples and tutorials and some of the later are using just Spring Boot "official" starters. All samples and tutorials are configured with "static" multi-tenancy, except one which is showing a way to achieve "dynamic" multi-tenancy.

edited May 16 '23 at 23:51

answered May 12 '23 at 17:03

ch4mp

6,622
6
29
49

Thanks for the suggestion! I went over this but figured out a much simpler way to implement what I wanted to do. I will be detailing that below, feel free to take a look and give any feedback that comes to mind :) – barelySurviving May 18 '23 at 12:24

Is there a simple Spring Boot dependency to replace Auth0 JWT and JWK-RSA dependencies?

1 Answers1