Expected Behavior
Spring Security OAuth includes an Authorization Bearer header containing the access token in requests to JWK Set URIs. Some providers such as Oracle IDCS requires the access token when getting the JWK keys.
Below is a portion of the workflow in Oracle IDCS
Request 1
=======
request for url https://idcs-XXXX.identity.oraclecloud.com/oauth2/v1/token
headers = {
"Content-Type":"application/x-www-form-urlencoded;charset=UTF-8",
"Authorization":"Basic b64[client-id:client-secret]"
}
params = {
"grant_type": "code",
"scope":"urn:opc:idm:__myscopes__"
}
Response 1
========
response = {
"access_token": "[access_token]",
"token_type": "Bearer",
"expires_in": 3600
}
Request 2
=======
request for url https://idcs-XXXX.identity.oraclecloud.com/admin/v1/SigningCert/jwk
headers = {
"Authorization": "Bearer [access_token]"
}
Current Behavior
Spring Security OAuth does not include an Authorization Bearer header containing the access token in requests to JWK Set URIs.
Context
I am developing a client application for Oracle IDCS and I am unable to make Spring Security work because I am getting a 401 Unauthorized error when Spring Security is trying to get the keys from the JWK Set URI. I have tried the workaround below but I have no way to supply the access token for every requests.
@Bean
public NimbusJwtDecoder nimbusJwtDecoder(){
RestTemplate rest = new RestTemplate();
rest.getInterceptors().add((request, body, execution) -> {
request.getHeaders().setBearerAuth([access_token]);
return execution.execute(request, body);
});
return NimbusJwtDecoder.withJwkSetUri("https://idcs-XXXX.identity.oraclecloud.com/admin/v1/SigningCert/jwk")
.restOperations(rest).build();
}
Stacktrace
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_id_token] An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 Unauthorized: [{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error"],"detail":"Operation failed due to unauthorized access.","status":"401","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error":{"messageId":"error.common.exception.unauthorizedAccess"}}]
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.createOidcToken(OidcAuthorizationCodeAuthenticationProvider.java:226) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:155) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:185) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:160) [spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.37.jar:9.0.37]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_221]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_221]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.37.jar:9.0.37]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_221]
Caused by: org.springframework.security.oauth2.jwt.JwtException: An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 Unauthorized: [{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error"],"detail":"Operation failed due to unauthorized access.","status":"401","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error":{"messageId":"error.common.exception.unauthorizedAccess"}}]
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:154) ~[spring-security-oauth2-jose-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.decode(NimbusJwtDecoder.java:126) ~[spring-security-oauth2-jose-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.createOidcToken(OidcAuthorizationCodeAuthenticationProvider.java:223) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
... 48 common frames omitted
Caused by: com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 Unauthorized: [{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error"],"detail":"Operation failed due to unauthorized access.","status":"401","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error":{"messageId":"error.common.exception.unauthorizedAccess"}}]
at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:167) ~[nimbus-jose-jwt-8.18.1.jar:8.18.1]
at com.nimbusds.jose.jwk.source.RemoteJWKSet.get(RemoteJWKSet.java:260) ~[nimbus-jose-jwt-8.18.1.jar:8.18.1]
at com.nimbusds.jose.proc.JWSVerificationKeySelector.selectJWSKeys(JWSVerificationKeySelector.java:157) ~[nimbus-jose-jwt-8.18.1.jar:8.18.1]
at com.nimbusds.jwt.proc.DefaultJWTProcessor.selectKeys(DefaultJWTProcessor.java:310) ~[nimbus-jose-jwt-8.18.1.jar:8.18.1]
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:381) ~[nimbus-jose-jwt-8.18.1.jar:8.18.1]
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:330) ~[nimbus-jose-jwt-8.18.1.jar:8.18.1]
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:141) ~[spring-security-oauth2-jose-5.3.3.RELEASE.jar:5.3.3.RELEASE]
... 50 common frames omitted
Caused by: java.io.IOException: org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 Unauthorized: [{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error"],"detail":"Operation failed due to unauthorized access.","status":"401","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error":{"messageId":"error.common.exception.unauthorizedAccess"}}]
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder$RestOperationsResourceRetriever.retrieveResource(NimbusJwtDecoder.java:331) ~[spring-security-oauth2-jose-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:165) ~[nimbus-jose-jwt-8.18.1.jar:8.18.1]
... 56 common frames omitted
Caused by: org.springframework.web.client.HttpClientErrorException$Unauthorized: 401 Unauthorized: [{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error"],"detail":"Operation failed due to unauthorized access.","status":"401","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error":{"messageId":"error.common.exception.unauthorizedAccess"}}]
at org.springframework.web.client.HttpClientErrorException.create(HttpClientErrorException.java:105) ~[spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:184) ~[spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:125) ~[spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.web.client.ResponseErrorHandler.handleError(ResponseErrorHandler.java:63) ~[spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.web.client.RestTemplate.handleResponse(RestTemplate.java:782) ~[spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:740) ~[spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:641) ~[spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder$RestOperationsResourceRetriever.retrieveResource(NimbusJwtDecoder.java:329) ~[spring-security-oauth2-jose-5.3.3.RELEASE.jar:5.3.3.RELEASE]
... 57 common frames omitted
Comment From: jzheaux
Hi, @bryanmacainag, thanks for the detailed explanation.
That's an interesting requirement. It seems weird that the provider would ask for the access token to get the keys needed to verify the access token. If you give the access token to the provider, why doesn't it just verify it right then for you? And if this is the case, then it really defeats the purpose of JWKs anyway since the idea is to not have resource servers hitting the provider on each request.
I wonder if it's not the access token that the provider wants. Instead, it could be a bearer token that identifies your app, the client. This is how Introspection endpoints work. Also, I'm surprised that Oracle's docs don't seem to say anything about this. I might be looking in the wrong place, but there might be something missing from their docs that you need.
Since this sounds a bit more like a question than a feature request, I'm going to close this as answered. It's preferred to post questions to StackOverflow, and I think that you'll get more responses there, including answers from maintainers. If you feel like I haven't addressed your question, consider posting a question there and then add the link to it back here on this ticket.
Comment From: bryanmacainag
Hi @jzheaux,
You're right. It needs a bearer token as shown here
response = {
"access_token": "[access_token]",
"token_type": "Bearer",
"expires_in": 3600
}
Thank you for the detailed response. I'll look into instrospection endpoint.
Comment From: jzheaux
Right, there might be a conflation of terms there.
What I mean to say is, I wonder if the access token they want is for authenticating the client (you), which, at least with introspection, is not the token tied to the end user.
Comment From: bryanmacainag
I had this problem 4 months ago and posted in StackOverflow but got no response. I have been on and off working on this project and I just got back on working on it. You can see my post in StackOverflow.
This is a code snippet of the NodeJS SDK provided by Oracle. You can see that when calling JWK Set URI, the code supplies the Auth Bearer Token.
while Spring Security does not include the Auth Bearer Token when requesting the JWK Set URI as shown below (from debug logs):
- /api/api-docs - redirecting to authentication entry point
- Redirecting to 'http://localhost:3000/oauth2/authorization/oracle'
- Redirecting to 'https://idcs-XXXX.identity.oraclecloud.com/oauth2/v1/authorize?response_type=code&client_id=XXXX&scope=openid%20profile%20email%20address%20phone&state=1234&redirect_uri=http://localhost:3000/callback&nonce=XXXX'
- Redirecting to http://localhost:3000/callback?code=XXX1234&state=XXXX
- HTTP POST https://idcs-XXXX.identity.oraclecloud.com/oauth2/v1/token Accept=[application/json, application/*+json] [{grant_type=[authorization_code], code=[XXXX1234], redirect_uri=[http://localhost:3000/callback]}] as "application/x-www-form-urlencoded;charset=UTF-8"
- HTTP GET https://idcs-XXXX.identity.oraclecloud.com/admin/v1/SigningCert/jwk Accept=[text/plain, application/json, application/+json, /*] Response 401 UNAUTHORIZED
I am not sure why the Oracle Documentation does not state this. I also have the Java SDK in jar file but it does not include the source code.
Does Spring Security have a way to include the Auth Bearer Token in requests to JWK Set Uri? If not, what are my other options?
Comment From: bryanmacainag
Just to add another problem I have encountered:
When accessing the JWK Set URI (https://idcs-XXXX.identity.oraclecloud.com/admin/v1/SigningCert/jwk) and supplying the Auth Bearer Token on that URI, the keys are displayed like below:
{
"keys":[
{
"x5t#S256":"_wJqnmEgaue0Hrr5C6WXbQKomIOcacggUeRlnGP0LBA",
"x5t":"v1UrKX9lqCSfldbxprXRM7BoT9o",
"key_ops":[
"verify",
"encrypt"
],
"e":"AQAB",
"kty":"RSA",
"x5c":[
"MIIDXzCCAkegAwIBAgIGAWON6zpnMA0GCSqGSIb3DQEBCwUAMFcxEzARBgoJkiaJk/IsZAEZFgNjb20xFjAUBgoJkiaJk/IsZAEZFgZvcmFjbGUxFTATBgoJkiaJk/IsZAEZFgVjbG91ZDERMA8GA1UEAxMIQ2xvdWQ5Q0EwHhcNMTgwNTIzMTY1MzEzWhcNMjgwNTIzMTY1MzEzWjBWMRMwEQYDVQQDEwpzc2xEb21haW5zMQ8wDQYDVQQDEwZDbG91ZDkxLjAsBgNVBAMTJWlkY3MtMTkxODA4ZWJmMjYzNGRkMjlhTVmYmE1OTNjYjM5MjgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDolwZa1Wph/sk++3pcYpXfA8F8UMIOQEIhvGCPVes94VEnN1mqjMsKujgSmYv1xwAq6CkbkAcMUuE8CfRSq7inUwxcq+honqrr+teNcr3moVqbx4oVvnLYZ6iolvOEKgSLxWPxVSEu36NCJkkk+kbvlNZaj/Y5e/3ckDUsQdDSUZChnvpEdoe9uOSQ061zyDRVWy+jebkwH3+TyfnkxMbHOC3FfrPqojJDH9+kkvYChV35PzAujc7IjoORVFoZmxesH8itnRdaKBvvO0fEm9qrMKbGRrL4u/IcImqjLmchdID51TYWsG5YDhfMhHpwtj5qYfoZnze7b+RaphYTx2VjAgMBAAGjMjAwMB0GA1UdDgQWBBTSLFImznmWM1VIrb8XlODSudEDszAPBgNVHQ8BAf8EBQMDB9gAMA0GCSqGSIb3DQEBCwUAA4IBAQAdy1jSdrU+U/+1KEsOBV6k+XnamArY8sjvJ/A9fwPG6eJSL6Y5QrpA54ZJ+Ey4/quFABA66R2iNspkALdWs/V4Q8kJ+O63hZ5m2sUJ93Y+nhVVB7DTF6Q/lGEP6sB8IAYZ05+8rW3Y8hQrQ1i36bw6+Z9Kz9aTY0P8VHUMiyVCms07eEKQICepTa5kKHRjotrh/aNrXRCt0vS0BJoZ5K6ptBljyPmi/opCB6OzgY1y7/Mqj6H9Gz04521rdzQpNgHonCU3nZQPvGbr0D1QFtOBTDyNWCCvJFNlQpVX5O4BGd0OMGDTpwXaTpEaeJwiPzHEOMP8SC11oMbv+WjQcc4a",
"MIIDdDCCAlygAwIBAgIGAWUDujAHMA0GCSqGSIb3DQEBCwUAMFcxEzARBgoJkiaJk/IsZAEZFgNjb20xFjAUBgoJkiaJk/IsZAEZFgZvcmFjbGUxFTATBgoJkiaJk/IsZAEZFgVjbG91ZDERMA8GA1UEAxMIQ2xvdWQ5Q0EwHhcNMTcwNTI0MDIwODU0WhcNMzcwNTI0MDIwODU0WjBXMRMwEQYKCZImiZPyLGQBGRYDY29tMRYwFAYKCZImiZPyLGQBGRYGb3JhY2xlMRUwEwYKCZImiZPyLGQBGRYFY2xvdWQxETAPBgNVBAMTCENsb3VkOUNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArQoqftMLyDAj9Yv/uiGLtJ7PJDzk8xs2dwDxyjnuUbnEk4iDjtY2KLNH52Gi7AUtOKPYr5DPYVHBMT7C3C+4A8qoCvTmay+vdc/xLdUUlnWlvgXECaQWnfPhw8rSjqDxC3CzXohIkDFQZ6Ig0JQz2uXDW7FDySMfBGMK0uVbftwXLha8R4g+MW9YH1yAn5a535Xt+on7UO4/i/qtr8b14+eckE3WvNtZKOwTfO3wTnli/IrauKfLJPOsIGnYy4lohr8k1iuJuroNh1bAY2ZJidoo2zz/pTRRBYGJ00Q+NwrnSUVpHk2qV0N9e6KX9v5jL98SdNjRjoQQ8CQGokNRvwIDAQABo0YwRDASBgNVHRMBAf8ECDAGAQH/AgEAMA8GA1UdDwEB/wQFAwMHxAAwHQYDVR0OBBYEFGz5t22twXpL2FbHOOPaGdnLFLpFMA0GCSqGSIb3DQEBCwUAA4IBAQCL1BuOGgpaT0W+Crxo0hVP26VIFdu1n3ykTSK3e7FSHe94m+3RDSPtCy3H8eYAOcZ2dtkcHBmnh2r76eBZb3tFeboqClaYpueYXpQnX5CIsVGqfbuWpyjkcDViP6lIqTGJMv9gzcz/XOi5jbocrj3Hp3WUke+PZeRRdRRjE6xCKFr2Bs8oXjC5XyNfRQWjedFOL8BRIaIkmCwrBkqHtP6ePAxMtjb6UFdRo0H0OFy8GQrBMVZpfnPAgponq9VicRPiKECLZ1cQV8PNrrwIcLHc+FnhFEY+nr0dMR9BDfdV0qjX9WwyveqW0j30FVOi3yVKZNwdSEUTfmCsvhScX99Y"
],
"alg":"RS256",
"n":"6JcGWtVqYf7JPvt6XGKV3wPBfFDCDkBCIbxgj1XrPeFRJzdZqozLCro4EpmL9ccAKugpG5AHDFLhPAn0Uqu4p1MMXKvoaJ6q6_rXjXK95qFam8eKFb5y2GeoqJbzhCoEi8Vj8VUhLt-jQiZJJPpG75TWWo_2OXv93JA1LEHQ0lGQoZ76RHaHvbjkkNOtc8g0VVsvo3m5MB9_k8n55MTGxzgtxX6z6qIyQx_fpJL2AoVd-T8wLo3OyI6DkVRaGZsXrB_IrZ0XWigb7ztHxJvaqzCmxkay-LvyHCJqoy5nIXSA-dU2FrBuWA4XzIR6cLY-amH6GZ83u2_kWqYWE8dlYw",
"kid":"SIGNING_KEY"
}
]
}
Spring Security complains [invalid_id_token] An error occurred while attempting to decode the Jwt: Malformed Jwk set
org.springframework.security.oauth2.core.OAuth2AuthenticationException: [invalid_id_token] An error occurred while attempting to decode the Jwt: Malformed Jwk set
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.createOidcToken(OidcAuthorizationCodeAuthenticationProvider.java:226) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.authenticate(OidcAuthorizationCodeAuthenticationProvider.java:155) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) ~[spring-security-core-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter.attemptAuthentication(OAuth2LoginAuthenticationFilter.java:185) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) ~[spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter.doFilterInternal(OAuth2AuthorizationRequestRedirectFilter.java:160) [spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:117) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:92) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:77) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178) [spring-security-web-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) [spring-web-5.2.8.RELEASE.jar:5.2.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589) [tomcat-embed-core-9.0.37.jar:9.0.37]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-embed-core-9.0.37.jar:9.0.37]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_221]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_221]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-embed-core-9.0.37.jar:9.0.37]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_221]
Caused by: org.springframework.security.oauth2.jwt.JwtException: An error occurred while attempting to decode the Jwt: Malformed Jwk set
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:152) ~[spring-security-oauth2-jose-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder.decode(NimbusJwtDecoder.java:126) ~[spring-security-oauth2-jose-5.3.3.RELEASE.jar:5.3.3.RELEASE]
at org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider.createOidcToken(OidcAuthorizationCodeAuthenticationProvider.java:223) ~[spring-security-oauth2-client-5.3.3.RELEASE.jar:5.3.3.RELEASE]
... 48 common frames omitted