Hi, In the context of spring security, is it possible for spring boot to autoconfigure bean for RSAKey (default to RSA, 2048), JwtEncoder (default to using RSAKey) and JwtDecoder (default to using RSAKey). This can really help to save time for the developer, instead of developer having to write these beans again and again. Any overriding of default configuration can be done via configuration files
Comment From: philwebb
Can you provide some more details of what you're looking for? We do already have some code in OAuth2ResourceServerJwtConfiguration which creates a JwtDecoder.
Perhaps you can provide a sample application with the type of configuration you usually create.
Comment From: hannah23280
Hi,
I wanted to create a simple application that upon verifies the login credentials submitted via a typical form, and then generate jwt token to the browser. So the jwt token will be sent to backend for every page navigation. No Oauth2 server is involved.
In that case, i have to manually write my own JwtDecoder and JwtEncoder. That is why i raise this issue is to hope to a JwtDecoder and JwtEncoder bean can be auto-created for us during application boot up
From the source code of OAuth2ResourceServerJwtConfiguration, it seems that spring boot able to automatically create a JwtDecoder bean for us. But sadly no JwtEncoder bean.
Comment From: philwebb
@hannah23280,
We're discussing this again today and we wondered if you could provide a sample application that shows how you are currently configuring your beans. We want to make sure that we understand the use-case and that it will be broadly applicable.
Comment From: hannah23280
Hi,
I don't have a sample application with me currently, but i did have made personal notes on the manual way of creating the JwtEncoder. Something as shown below
Generate RSA Key Pair
@Bean
RSAKey rsaKey() throws NoSuchAlgorithmException{
//Below generarte key pair via JDK api.
var generator = KeyPairGnerator.getInstance("RSA");
generator.initialize(2048);
KeyPair keyPair = generator.generateKeyPair();
//Then create an instance of RSAKey using the above keypair
return new RSAkey.Builder((RSAPublicKey)KeyPair.getPublic()).privateKey(keyPair.getPrivate())
.KeyID(UUID.randomUUID().toString())
.build();
}
Create JwtEncoder
@Bean
JwtEncode jwtEncoder (RSAKey rsaKey){
return new NimbusJwtEncoder(new ImmutableJWKSet<>(new JWKSet(rsaKey))
}
Comment From: philwebb
Thanks for the additional information. I'm not sure this pattern is generally applicable and something that will suit every application. As such, I don't think we'll be able to provide any auto-configuration ourselves for this.
If you're finding this pattern common in your own applications you could extract the code to your own auto-configuration module to make it easier to apply.
Thanks anyway for the suggestion.
Comment From: hannah23280
Thanks for the additional information. I'm not sure this pattern is generally applicable and something that will suit every application. As such, I don't think we'll be able to provide any auto-configuration ourselves for this.
If you're finding this pattern common in your own applications you could extract the code to your own auto-configuration module to make it easier to apply.
Thanks anyway for the suggestion.
Okie. I thought creating an RSAkey for the purpose of creating JWTEncoder is common. Hence instead of having to write these boilerplate, the framework can do this for us, but we can further customize by setting pre-defined properties for the keylength (2048), etc.