Spring Security NimbusReactiveJwtDecoder bean not used to pass via proxy instead of default WebClient

Summary

I have a NimbusReactiveJwtDecoder that is not used in OAuth2 flow to check token signature (oauth2Login). The application must pass via a proxy to achieve the url in the server. The custom webClient uses proxy to get access token but exception of timeout is thrown when trying to achieve jwk set uri.

Actual Behavior

NimbusReactiveJwtDecoder bean is not used

Verification of token signature cannot be done due to inaccessibility without proxy

Expected Behavior

Custom WebClient with proxy must be used in NimbusReactiveJwtDecoder instance

Configuration

@Bean
public NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder(
        @Qualifier("proxyWebClient") WebClient webClient,
        @Value("${spring.security.oauth2.client.provider.company.jwk-set-uri}") final String jwkUrl
) {
    NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder jwkSetUriReactiveJwtDecoderBuilder = NimbusReactiveJwtDecoder
            .withJwkSetUri(jwkUrl)
            .jwsAlgorithm(SignatureAlgorithm.RS256)
            .webClient(webClient);
    return jwkSetUriReactiveJwtDecoderBuilder.build();
}

Security config

// OAuth2 login
  http.oauth2Login(oauth2 -> oauth2
          .authenticationMatcher(new PathPatternParserServerWebExchangeMatcher("/login/oauth2/code/{registrationId}"))
          .authenticationSuccessHandler(this.reactiveConnectSuccessHandler)
          .authenticationFailureHandler(this.reactiveFailureHandler)
          .authorizedClientService(new InMemoryReactiveOAuth2AuthorizedClientService(companyClientRegistrationRepository))
          .clientRegistrationRepository(companyClientRegistrationRepository)
          .authorizedClientRepository(authorizedClientRepository())
  )
  .build();

Version

• JVM version (java -version): 8
• Spring Boot Version: 2.5.6
• Spring Cloud Version: 2020.0.3
• Reactor version(s) used: 0.9.20.RELEASE
• Dependencies:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security.oauth.boot</groupId>
    <artifactId>spring-security-oauth2-autoconfigure</artifactId>
    <version>2.6.1</version>
</dependency>



**Comment From: sjohnr**

Hi @haythamdahri. I'm not able to quite understand your issue. Can you further explain what you mean by the following:

> Verification of token signature cannot be done due to inaccessibility without proxy

What does "proxy" in your issue refer to? Is it another web server? Is it a JDK proxy? Would you be able to provide a sample that reproduces this issue? Possibly with an integration test that mocks out whatever component is failing to demonstrate the issue?

**Comment From: haythamdahri**

Hi @sjohnr , I mean by proxy an **HTTP PROXY SERVER**.
When implementing **authorization_code** flow, i redirect user to SSO to login via username and password then he is redirected to my service with the code. Then my service send a request to OpenIDConnect server **(code and client credentials)** to get an **access token**. The last step is checking token signature (**jwt-set-uri**).
The implementation of spring uses **NimbusReactiveJwtDecoder** to check signature by sending http request to the configured uri **spring.security.oauth2.client.provider.company.jwk-set-uri**.
Here is the configuration that i use:
```java
spring.security.oauth2.client.registration.company.client-name=COMPANY
spring.security.oauth2.client.registration.company.client-id=CLIENT_ID
spring.security.oauth2.client.registration.company.client-secret=CLIENT_SECRET
spring.security.oauth2.client.registration.company.authorization-grant-type=authorization_code
spring.security.oauth2.client.registration.company.redirect-uri=http://sso-company.com/auth/login

spring.security.oauth2.client.provider.company.authorization-uri=https://sso-company/openam/oauth2/developpement/authorize
spring.security.oauth2.client.provider.company.token-uri=https://sso-company/openam/oauth2/developpement/access_token
spring.security.oauth2.client.provider.company.user-info-uri=https://sso-company/openam/oauth2/developpement/userinfo
spring.security.oauth2.client.provider.company.jwk-set-uri=https://sso-company/openam/oauth2/developpement/connect/jwk_uri

Issue:

This NimbusReactiveJwtDecoder uses default WebClient while all requests in my server should pass via proxy. Here is the default WebClient that should be overridden: https://github.com/spring-projects/spring-security/blob/0ae41ff8735ef5c71e38d872a5799aa73d7c0ab2/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder.java#L285

The bean that i provided of NimbusReactiveJwtDecoder is not used which is the issue here.

Thank you for your help.

Comment From: sjohnr

Verification of token signature cannot be done due to inaccessibility without proxy

Are you referring to the token signature of the ID token returned by the OpenID Connect login flow? Have you read the section of the docs on ID Token Signature Verification? As specified in the docs, I believe you will need to provide an @Bean ReactiveJwtDecoderFactory<ClientRegistration>.

Make sure you have the oauth2-client dependency on your classpath:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

You could potentially provide the ReactiveJwtDecoder with your custom WebClient as in the following example:

@Bean
public ReactiveJwtDecoderFactory<ClientRegistration> idTokenDecoderFactory(
        @Qualifier("proxyWebClient") WebClient webClient,
        @Value("${spring.security.oauth2.client.provider.company.jwk-set-uri}") final String jwkUrl
) {
    return (clientRegistration) -> NimbusReactiveJwtDecoder.withJwkSetUri(jwkUrl)
            .jwsAlgorithm(SignatureAlgorithm.RS256)
            .webClient(webClient)
            .build();
}

Does this resolve your issue?

---

As an aside, your dependencies include:

<dependency>
    <groupId>org.springframework.security.oauth.boot</groupId>
    <artifactId>spring-security-oauth2-autoconfigure</artifactId>
    <version>2.6.1</version>
</dependency>

What are you using this dependency for? Did you intend to use this dependency? See the deprecation notice on the Spring Security OAuth project page. The latest versions of Spring Security include full support for OAuth without this dependency.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: haythamdahri

Hello, I provided the bean config to check the signature of token returned by OpenID Flow but nothing changed, the webClient is not used. For the following dependency

<dependency>
    <groupId>org.springframework.security.oauth.boot</groupId>
    <artifactId>spring-security-oauth2-autoconfigure</artifactId>
    <version>2.6.1</version>
</dependency>

I used it to manipulate token signature manually to unlock this step and look why it's not working as expected. Is there any custom configuration to do in the SecurityWebFilterChain Bean specifically in http.oauth2Login that i am missing here?

Comment From: sjohnr

@haythamdahri,

Hello, I provided the bean config to check the signature of token returned by OpenID Flow but nothing changed, the webClient is not used.

Could you please provide a minimal sample that reproduces this issue?

For the following dependency

java <dependency> <groupId>org.springframework.security.oauth.boot</groupId> <artifactId>spring-security-oauth2-autoconfigure</artifactId> <version>2.6.1</version> </dependency>

I used it to manipulate token signature manually to unlock this step and look why it's not working as expected.

I believe you should not have that dependency on your classpath. Again, it would be helpful if you could provide a minimal sample of what you're trying to achieve.

Is there any custom configuration to do in the SecurityWebFilterChain Bean specifically in http.oauth2Login that i am missing here?

Sorry, I'm uncertain. If you can provide a sample, I'd be happy to take a look.

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: sjohnr

@haythamdahri have you been able to make any progress on a sample? If you're not able to, no worries, but wanted to ask in case you have.

Comment From: haythamdahri

@sjohnr Thank you very much for your help. After many attempts, i could do the JWK check passing through the proxy server. The oauth2 autoconfigure was removed and some minor config has been done. At the end, ReactiveJwtDecoderFactory<ClientRegistration> was a required config for that. Many thanks for your reactivity

Comment From: sjohnr

Awesome, thanks @haythamdahri, glad to help!