Migrate from custom made jwt authentication to spring-security builtin support.

[mshima]

Spring security provides jwt authentication support through builtin oauth2 server. Replacing custom make security implementation with spring-security builtin implementation allow us to reduce security responsibilities and generate cleaner application.

This should reduce jwt module generated files from 11 to 4 or 5.

This is equivalent to generator-jhipster's https://github.com/jhipster/generator-jhipster/issues/19689.

I am opening this issue following @DamnClin suggestion. A initial implementation can be seen here

Issue: A comma separated authorities inside jwt structure is not supported: https://github.com/jhipster/jhipster-lite/blob/379d93ebac5e05419867700d5c0dae427c964372/src/main/resources/generator/server/springboot/mvc/security/jwt/authentication/main/infrastructure/primary/JwtReader.java.mustache#L68

Alternatives:

• migrate to a array.
• migrate to space separated.
• implement a custom converter.

[AnneJacquet]

Hi @mshima are you working on this issue as you started the work ? If not I will look into it 🙂

[pascalgrimaud]

I would say, you can go ahead @AnneJacquet

[mshima]

You can continue from where I’ve started.

[mshima]

https://github.com/mshima/jhipster-lite/tree/jwt You can squash those commits

[pascalgrimaud]

Oh didn't expect you already started the work @mshima !

[mshima]

It’s in the issue description, @AnneJacquet feel free to continue it.

[mshima]

I think it’s is missing the entrypoint, I couldn’t find it. Maybe you are relying on the userpasswordfilter? And since there is almost no component to test, it’s possible to port the authentication integration test from the generator-jhipster.

[AnneJacquet]

I looked into the module spring-boot-jwt and was hoping to split the responsibility :

• generate a token with a private key
• read a token with the public key

The reason for that is actually my current client : I only need the second part (we receive a jwt).

A solution for that actually exists straight out of the box : https://docs.spring.io/spring-security/reference/reactive/oauth2/resource-server/jwt.html#webflux-oauth2resourceserver-jwt-decoder-public-key-boot

But it only supports RSA algorithms (not EC) class OAuth2ResourceServerJwtConfiguration :

It should be possible to write something similar supporting all algorithms. But before going that way, do you think using both keys is a good idea or we should keep on using juste the private key ?

[mshima]

Yes, there is support to configure the decoder using a public key using configuration. I don't think there is support to configure the encoder.

I don't think there is an easy way to support all algorithms. The current algorithm implementation (symmetric) is quite different from the asymmetric algorithms which your are targeting There is a jws-algorithm reference at https://github.com/spring-projects/spring-security/blob/38a7bbd2eb9fd71461651413b59f8fd93a3f2c3b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc#via-spring-boot. But I could not find in the code. So I think it's wrong.

You may try something like https://github.com/spring-projects/spring-security/issues/8092#issuecomment-843038299 to make more generic.

[mshima]

Or generate a https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-decoder-jwk-response from application properties.