Describe the bug
Trying to create a JWT decoder using the JwtDecoders.fromOidcIssuerLocation methods propagates to the following error:
Caused by: java.lang.NoSuchMethodError: 'void com.nimbusds.jose.proc.JWSVerificationKeySelector.<init>(java.util.Set, com.nimbusds.jose.jwk.source.JWKSource)'
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.jwsKeySelector(NimbusJwtDecoder.java:334)
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.processor(NimbusJwtDecoder.java:349)
at org.springframework.security.oauth2.jwt.NimbusJwtDecoder$JwkSetUriJwtDecoderBuilder.build(NimbusJwtDecoder.java:362)
at org.springframework.security.oauth2.jwt.JwtDecoders.withProviderConfiguration(JwtDecoders.java:124)
at org.springframework.security.oauth2.jwt.JwtDecoders.fromOidcIssuerLocation(JwtDecoders.java:66)
To Reproduce Use a known JWS configuration url, example entrypoint: https://oidc-ver2.difi.no/idporten-oidc-provider
Expected behavior Expected that a decoder would be instanciated.
Comment From: tanettrimas
It might be because of the following inside of NimbusJwtDecoder line 334 creates a JWSVerificationKeySelector with a Set of algorithms, when the constuctor only accepts one algorithm?:
JWSKeySelector<SecurityContext> jwsKeySelector(JWKSource<SecurityContext> jwkSource) {
if (this.signatureAlgorithms.isEmpty()) {
return new JWSVerificationKeySelector<>(JWSAlgorithm.RS256, jwkSource);
}
Set<JWSAlgorithm> jwsAlgorithms = new HashSet<>();
for (SignatureAlgorithm signatureAlgorithm : this.signatureAlgorithms) {
JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(signatureAlgorithm.getName());
jwsAlgorithms.add(jwsAlgorithm);
}
return new JWSVerificationKeySelector<>(jwsAlgorithms, jwkSource);
}
Comment From: jgrandja
@tanettrimas What version of Spring Security and Spring Boot are you using? It is likely related to #9399
Comment From: tanettrimas
Hi @jgrandja :)
Thanks for the quick reply!
So I had these dependencies.
<dependencies>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-test</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
With a parent of this:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.0-SNAPSHOT</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
Comment From: jgrandja
@tanettrimas Can you try on Spring Boot 2.4.3. I suspect it will work on that version.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.