search

spring-projects / spring-authorization-server

Spring Authorization Server
https://spring.io/projects/spring-authorization-server
Apache License 2.0
4.87k stars 1.29k forks source link

Authorization-server doesn't work as expected in scenarios when I use EC instead of RSA for token signing. #927

Closed celikfatih closed 2 years ago

celikfatih commented 2 years ago

Describe the bug I'm trying to use EC instead of RSA for token signing. JWKSource<SecurityContext> contains an EC key instead of RSA for token signing. In case I use RSA my scenarios work as expected. But in the case where I use EC, a problem arises in my scenario.

To Reproduce Everything works as expected when a configuration like the following:

@Bean
public JWKSource<SecurityContext> jwkSource() {
    JWKSet jwkSet = new JWKSet(Jwks.generateRsa());
    return (jwkSelector, context) -> jwkSelector.select(jwkSet);
}

I don't see any errors when I use EC instead of RSA but I see an HTTP status stating that there are too many redirects. My EC configuration is as follows. I also include header information indicating that EC is used instead of RSA.

@Bean
public JWKSource<SecurityContext> jwkSource() {
    JWKSet jwkSet = new JWKSet(Jwks.generateEc());
    return (jwkSelector, context) -> jwkSelector.select(jwkSet);
}

@Bean
public OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
    return context -> context.getHeaders().algorithm(SignatureAlgorithm.ES256);
}

I followed TRACE logs while using EC to understand the error. I noticed that there was no call to /oauth2/jwks path, unlike the case where I use RSA.

Expected behavior JWKSource<SecurityContext> @Bean contains an EC key for token signing. Also in the header information, this EC key is indicated. In these circumstances, the same RSA must meet the expected circumstances as in my example. But I couldn't find the exact source of the problem.

jgrandja commented 2 years ago

@celikfatih Questions are better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements.

EC keys will work if configured correctly.

FYI, the default for RegisteredClient.tokenSettings.idTokenSignatureAlgorithm is SignatureAlgorithm.RS256 so this might be the reason it's failing for ID Token signing.

For the Jwt access token, you can customize the default alg header SignatureAlgorithm.RS256 using a custom JwtGenerator.setJwtCustomizer().

Please see the reference documentation for OAuth2TokenGenerator and OAuth2TokenCustomizer.