Open nilo85 opened 7 years ago
It looks like that I encountered this when trying to work with key-uri of spring security oauth2 resource server.
Wow. that's quite old, I am very surprised this doesn't get feedback.
Did you guys manage to solve it?
I keep having issue with "Cannot convert access token to JSON"
, I know my keypair provided information are valid but there's no way to decode it.
I have removed JKS and KeyPair configuration. I would like to restore it if there's a way to do so.
I also curious how can I solve this problem. I seemed it worked it. because when I login and when I request to auth with access_token, It had no problem. But when I tried to get access token with refresh token, error occurred which is 'Handling error: InvalidTokenException, Cannot convert access token to JSON'. This issue opened over two years ago....
Any input on this? I'm facing this Cannot convert access token to JSON issue as well!!
Please note that JwtAccessTokenConverter
does not support key rotation.
For example, when the provider expires / revokes the signing key then the JwtAccessTokenConverter.verifier
is no longer valid. This would result in the error "Cannot convert access token to JSON". The JwtAccessTokenConverter.verifier
would need to be updated with the new verifier key. This can only be done with an application restart and/or ApplicationContext
refresh, which would trigger JwtAccessTokenConverter.afterPropertiesSet()
.
Given this project will soon reach end-of-life, I would highly encourage users to migrate to Spring Security's Resource Server support, which automatically handles key rotation on the provider.
JwtAccessTokenConverter.setSigningKey updates verifyingKey for mac keys, but it does not update the verifier itself, that is created afterPropertiesSet().
The result is, if you have a flow where keys are rotated, and setup later, the signing and verifying key gets out of sync.
https://github.com/spring-projects/spring-security-oauth/blob/b86951100ec45079b675710b27ebe215f29ae6a7/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.java#L182
It should rebuild the verifier object as well.