Closed
Description
Describe the bug
After the last changes as part of [#196], I have removed the definition of CryptoKeySource bean in favour of JWKSource, as shown in the sample app:
@Bean
public JWKSource<SecurityContext> jwkSource() {
RSAKey rsaKey = generateRsa();
JWKSet jwkSet = new JWKSet(rsaKey);
return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
}
This causes an error on the client app (which is also based on Spring Security) when it tries to validate the token:
Caused by: com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:384)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:330)
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:144)
What causes this in the client is its inability to fetch the right public key from /oauth2/jwks (which returns an empty list), therefore making impossible to validate the validity of the token.
To Reproduce
Run the sample app provided
Expected behavior
The app should keep working as before, therefore enabling clients to validate JWT