search

jhipster / generator-jhipster

JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservice architectures.
https://www.jhipster.tech
Apache License 2.0
21.53k stars 4.02k forks source link

On a slow internet connection, Okta/Auth0 JWK retrieval API fails with socket timeout #17550

Open vishal423 opened 2 years ago

vishal423 commented 2 years ago
Overview of the issue

The default timeout configured by Spring security is ~500ms. On a slow internet connection, it's rare to get the response within this threshold limit. Since JHipster supports Okta/Auth0 integration, it would be cool to provide an easy way to configure this.

Stack trace:

Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.jwt.JwtDecoder]: Factory method 'jwtDecoder' threw exception; nested exception is java.lang.IllegalStateException: com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Read timed out
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:185)
        at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
        ... 58 common frames omitted
Caused by: java.lang.IllegalStateException: com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Read timed out
        at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getSignatureAlgorithms(JwtDecoderProviderConfigurationUtils.java:107)
        at org.springframework.security.oauth2.jwt.JwtDecoders.withProviderConfiguration(JwtDecoders.java:122)
        at org.springframework.security.oauth2.jwt.JwtDecoders.fromOidcIssuerLocation(JwtDecoders.java:66)
        at com.jhipster.demo.blog.config.SecurityConfiguration.jwtDecoder(SecurityConfiguration.java:157)
        at com.jhipster.demo.blog.config.SecurityConfiguration$$EnhancerBySpringCGLIB$$fa1ed3e7.CGLIB$jwtDecoder$1(<generated>)
        at com.jhipster.demo.blog.config.SecurityConfiguration$$EnhancerBySpringCGLIB$$fa1ed3e7$$FastClassBySpringCGLIB$$dc54e730.invoke(<generated>)
        at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244)
        at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331)
        at com.jhipster.demo.blog.config.SecurityConfiguration$$EnhancerBySpringCGLIB$$fa1ed3e7.jwtDecoder(<generated>)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154)
        ... 59 common frames omitted
Caused by: com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Read timed out
        at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:167)
        at com.nimbusds.jose.jwk.source.RemoteJWKSet.get(RemoteJWKSet.java:260)
        at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getSignatureAlgorithms(JwtDecoderProviderConfigurationUtils.java:90)
        ... 72 common frames omitted
Caused by: java.net.SocketTimeoutException: Read timed out
        at java.base/sun.nio.ch.NioSocketImpl.timedRead(NioSocketImpl.java:283)
        at java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:309)
        at java.base/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:350)
        at java.base/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:803)
Motivation for or Use Case

I can't use Okta/Auth0 with JHipster

Reproduce the error
Related issues

https://github.com/spring-projects/spring-security/issues/4474

Suggest a Fix
JHipster Version(s)

Main

JHipster configuration
Entity configuration(s) entityName.json files generated in the .jhipster directory
Browsers and Operating System
bdemers commented 2 years ago

Hey @vishal423!

When we see this problem (on the Okta side) it's typically a network configuration issue where your application is running (usually some sort of proxy or other network appliance).

That said, if you have checked your network and still have an issue, you should be able to configure any timeouts by doing something like this (NOTE: this block of code has not been tested):

@Configuration
public class WebConfig extends WebSecurityConfigurerAdapter {

    private final OAuth2ResourceServerProperties oAuth2ResourceServerProperties;

    WebConfig(OAuth2ResourceServerProperties oAuth2ResourceServerProperties) {
        this.oAuth2ResourceServerProperties = oAuth2ResourceServerProperties;
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder builder = NimbusJwtDecoder.withJwkSetUri(oAuth2ResourceServerProperties.getJwt().getJwkSetUri());
        builder.restOperations(<Your Custom RestOperations with timeouts>);

        http.authorizeRequests().anyRequest().authenticated();
        http.oauth2ResourceServer().jwt().decoder(builder.build());
    }
}
vishal423 commented 2 years ago

Thanks @bdemers for the suggestion. Unfortunately, it's not that straightforward as we use JwtDecoders to prepare the NimbusJwtDecoder and don't have control to override the rest operations to specify a timeout. There was a similar issue reported highlighting the inability to override timeouts in spring-projects/spring-security#10610 however, was closed with documentation reference listing suggestions like yours.

bdemers commented 2 years ago

@vishal423, Were you able to confirm there were no network issues? (firewalls, proxies, etc)?

If your code is generated similar to this: https://github.com/jhipster/generator-jhipster/blob/980ca577b72a846208d2fec0d85267a995bc8e53/generators/server/templates/src/main/java/package/config/SecurityConfiguration.java.ejs#L327-L342 You should be able to inject a RestTemplateBuilder (which supports timeouts).

vishal423 commented 2 years ago

@bdemers, I don't see any issue with my network configuration (no proxy, Linux env). I feel it's network latency to reach out to Auth0/Okta endpoints from India on a decent Wifi connection.

I am trying to follow up with @jgrandja on this. So far it seems we need to rewrite most of the code ourselves to make it work. You can refer to https://github.com/spring-projects/spring-security/issues/10610#issuecomment-1013657473 for the exact code point causing this issue and that can't be addressed with customization of RestTemplateBuilder.

MrNoooo007 commented 1 year ago

@vishal423 Have you solved this problem yet ?

I have the sample problem as you. Could u help me to solve this ?