GoGoris
commented
7 years ago I was just about to report the same feature. Maybe it would be a good idea to store the signingKey and verifierKey as a byte[] in JwtAccessTokenConverter?
Now the code relies on the default charset for String.getBytes(). This creates a possible character encoding risk when using special characters and when the charset is not properly set for the jvm. The RandomValueStringGenerator gets around this by using only alphanumeric characters but this significantly reduces the number of possibilities for the key. I fear this knowledge could be abused in brute force attacks...
Some authorization servers provide a secret which is encoded: auth0 for instance gives a base 64 encoded-url secret. This cannot be handled by Spring Security OAuth at this time (see http://stackoverflow.com/q/37832961/5903220).
I made a pull request ( #794 ) to add the possibility to configure an encoding for the key (base64 or base64url at the moment), and use the
MacSigner(byte[])constructor to avoid data loss when converting back to String.