JwtAccessTokenConverter setSigningKey does not update verifier

[nilo85]

JwtAccessTokenConverter.setSigningKey updates verifyingKey for mac keys, but it does not update the verifier itself, that is created afterPropertiesSet().

The result is, if you have a flow where keys are rotated, and setup later, the signing and verifying key gets out of sync.

https://github.com/spring-projects/spring-security-oauth/blob/b86951100ec45079b675710b27ebe215f29ae6a7/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.java#L182

It should rebuild the verifier object as well.

[dmurat]

It looks like that I encountered this when trying to work with key-uri of spring security oauth2 resource server.

[kopax]

Wow. that's quite old, I am very surprised this doesn't get feedback.

Did you guys manage to solve it?

I keep having issue with "Cannot convert access token to JSON", I know my keypair provided information are valid but there's no way to decode it.

I have removed JKS and KeyPair configuration. I would like to restore it if there's a way to do so.

[makeajourney]

I also curious how can I solve this problem. I seemed it worked it. because when I login and when I request to auth with access_token, It had no problem. But when I tried to get access token with refresh token, error occurred which is 'Handling error: InvalidTokenException, Cannot convert access token to JSON'. This issue opened over two years ago....

[durimkryeziu]

Any input on this? I'm facing this Cannot convert access token to JSON issue as well!!

[jgrandja]

Please note that JwtAccessTokenConverter does not support key rotation.

For example, when the provider expires / revokes the signing key then the JwtAccessTokenConverter.verifier is no longer valid. This would result in the error "Cannot convert access token to JSON". The JwtAccessTokenConverter.verifier would need to be updated with the new verifier key. This can only be done with an application restart and/or ApplicationContext refresh, which would trigger JwtAccessTokenConverter.afterPropertiesSet().

Given this project will soon reach end-of-life, I would highly encourage users to migrate to Spring Security's Resource Server support, which automatically handles key rotation on the provider.