Spring Security Spring Security 6 does not invoke jwk-set-uri [Spring-boot-3]

Description I recently migrated from Spring Boot Version 2.7.10 to 3.0.5. The oauth2 resource server with minimalistic config which validated the token previously, failed. Upon debugging, I saw that with 2.7.10, the jwk-set-uri is invoked. However, with 3.0.5, the jwk-set-uri is never invoked and returns 401 with "www-authenticate Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

Steps to reproduce the behavior: Compare the behavior of oauth2 resource server with 2.7.10 vs 3.0.5

Expected behavior jwk-set-uri provided should be invoked to fetch keys and algorithm to validate token.

Sample I'll need to generate a sample if you really need.

But this is kind of a blocker and if you are already aware. Please help me with it.

Thanks :)

Comment From: isatishp

https://github.com/isatishp/sample-security

Repository contains two branches for spring boot 2.7.10 and 3.0.5 respectively.

I have also provided a sample token which could be expired by the time you test it. You may get 401, but will you'll see that jwks endpoint is still invoked in spring boot 2.7.10 which is never invoked in case of spring boot 3

Comment From: jzheaux

Sorry that you are having trouble with the upgrade, @isatishp, and thanks for reaching out for help.

I believe the Spring Boot property has changed from jws-algorithm to jws-algorithms. When I made this change, your sample worked correctly.

Note that the Boot guide references a tool they've provided to help with property migration. Your IDE can also be a support here (as it was for me in this case).

Comment From: isatishp

Thank you for the clarification. Could you please also update the reference documentation. Now I still do get 401 but with a different error message "Www-authenticate Bearer".

On Sat, 8 Apr, 2023, 4:53 am Josh Cummings, @.***> wrote:

Sorry that you are having trouble with the upgrade, @isatishp https://github.com/isatishp, and thanks for reaching out for help.

I believe the Spring Boot property has changed from jws-algorithm to jws-algorithms https://github.com/spring-projects/spring-boot/issues/31321. When I made this change, your sample worked correctly.

Note that the Boot guide references a tool they've provided to help with property migration https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide#configuration-properties-migration. Your IDE can also be a support here (as it was for me in this case).

— Reply to this email directly, view it on GitHub https://github.com/spring-projects/spring-security/issues/12977#issuecomment-1500719551, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHGADG2I6AKITJ26WUN2VF3XACOYHANCNFSM6AAAAAAWWYHIUQ . You are receiving this because you were mentioned.Message ID: @.***>