This is a follow-up issue: * originally described in https://github.com/spring-projects/spring-security/issues/9900 (which is now closed) * solution now exists in Nimbus: https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/480/nimbusreactivejwtdecoder-with-oidcs * https://datatracker.ietf.org/doc/rfc9068/ published since then, "at+jwt" is the new standard
Expected Behavior Currently, if the JWT is having typ as "at+jwt", the token is rejected with message "Failed to authenticate since the JWT was invalid". Spring Security Oauth2 Resource Server with JWT as bearer token should accept typ as "at+jwt" as well.
Current Behavior Currently, if the JWT is having typ as "at+jwt", the token is rejected with message "Failed to authenticate since the JWT was invalid".
My Authorization server is issuing JWT access token with typ as "at+jwt" as per the following draft: https://www.rfc-editor.org/rfc/rfc9068.html
How has this issue affected you? JWT token is rejected although this is correct as per Authorization server
What are you trying to accomplish? Validate JWT Bearer token using Spring Security OAuth2 Resource Server capabilities.
What other alternatives have you considered? Ugly workaround (custom JWT decoder).
Are you aware of any workarounds? Custom JWT decoder (quite cumbersome).
Comment From: ymajoros
@jzheaux @tekgainers @andifalk @shartte
Comment From: ymajoros
Pull request: https://github.com/spring-projects/spring-security/pull/13186
Comment From: jzheaux
Thanks, @ymajoros. I'm closing this in favor of reopening #9900. Please see https://github.com/spring-projects/spring-security/issues/9900#issuecomment-1555274171 for details.
Comment From: ymajoros
Thanks, let's go further in #9900 but please note that there was a pull request attached.