I found an odd behavior with JWT parsing and JwtValidators.
Scenario:
- Spring Boot OIDC client (for now a tiny web app, only displaying logged in user and some OIDC objects provided by Spring)
- Custom
JwtDecoderFacotry<ClientRegistration>for ID-Token validation JwtValidatorFactorybased onJwtValidators.createDefaultWithIssuer(String)
This worked well with Spring Boot version <= 2.2.10.
Debugging:
NimbusJwtDecoder(JAR spring-security-oauth2-jose) uses claim set converters. The 'iss' (issuer) claim is handled as URL.JwtIssuerValidator(internally created byJwtValidators.createDefaultWithIssuer(String)) wraps aJwtClaimValidator<String>.- this one finally calls
equals()that is alwaysfalse- it compares String with URL.
My current workaround is not calling JwtValidators.createDefaultWithIssuer() but just using the validators new JwtTimestampValidator() and an own implementation of OAuth2TokenValidator<Jwt> (with wrapping JwtClaimValidator<URL>).
Anyone else having trouble with this?
--Christian
Comment From: jzheaux
Thanks for the report, @cmouttet.
While OIDC says the iss claim is a URL, JWT says it's a StringOrURI. The difference in the RFCs is probably the source of the differing behavior.
I think it makes sense for JwtIssuerValidator to work for both. Would you be able to submit a PR that updates it to convert the issuer to a String before doing the comparison? I think that would mean no longer wrapping JwtClaimValidator.