spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
http://github.com/spring-projects/spring-security-oauth
Apache License 2.0
4.7k stars 4.04k forks source link

JwtAccessTokenConverter setSigningKey does not update verifier #1144

Open nilo85 opened 7 years ago

nilo85 commented 7 years ago

JwtAccessTokenConverter.setSigningKey updates verifyingKey for mac keys, but it does not update the verifier itself, that is created afterPropertiesSet().

The result is, if you have a flow where keys are rotated, and setup later, the signing and verifying key gets out of sync.

https://github.com/spring-projects/spring-security-oauth/blob/b86951100ec45079b675710b27ebe215f29ae6a7/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.java#L182

It should rebuild the verifier object as well.

dmurat commented 6 years ago

It looks like that I encountered this when trying to work with key-uri of spring security oauth2 resource server.

kopax commented 4 years ago

Wow. that's quite old, I am very surprised this doesn't get feedback.

Did you guys manage to solve it?

I keep having issue with "Cannot convert access token to JSON", I know my keypair provided information are valid but there's no way to decode it.

I have removed JKS and KeyPair configuration. I would like to restore it if there's a way to do so.

makeajourney commented 4 years ago

I also curious how can I solve this problem. I seemed it worked it. because when I login and when I request to auth with access_token, It had no problem. But when I tried to get access token with refresh token, error occurred which is 'Handling error: InvalidTokenException, Cannot convert access token to JSON'. This issue opened over two years ago....

durimkryeziu commented 3 years ago

Any input on this? I'm facing this Cannot convert access token to JSON issue as well!!

jgrandja commented 3 years ago

Please note that JwtAccessTokenConverter does not support key rotation.

For example, when the provider expires / revokes the signing key then the JwtAccessTokenConverter.verifier is no longer valid. This would result in the error "Cannot convert access token to JSON". The JwtAccessTokenConverter.verifier would need to be updated with the new verifier key. This can only be done with an application restart and/or ApplicationContext refresh, which would trigger JwtAccessTokenConverter.afterPropertiesSet().

Given this project will soon reach end-of-life, I would highly encourage users to migrate to Spring Security's Resource Server support, which automatically handles key rotation on the provider.