Expected Behavior
Have a configurable way to allow NimbusJwtDecoder to accept PlainJWT.
That is, allow firebase auth emulators tokens to be parsed.
Current Behavior
When attempting to parse a token from firebase auth emulator, we are getting exception of Unsupported algorithm of none.
Context
I'm trying to use firebase auth emulators for test users on social login, together with my java spring backend. Firebase auth emulators seems to generate tokens that are unsigned with algo:none.
The source of where the exception is thrown: https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java#L134
I even started an attempt to replace it, by creating a bean LocalJwtAuthenticationProvider which is mostly a copy of JwtAuthenticationProvider.
But since the exception from NimbusJwtDecoder is thrown before the parsing, and all the parse methods are private, we need to also create a copy of NimbusJwtDecoder.
Overall this is pretty much the workaround I currently have, but would be great if I can just have a configuration for that, or at least be able to copy less classes.
Comment From: jzheaux
In your case, you may want to use Nimbus directly as I don't imagine we want to make that feature generally available.
Here is a rough sketch of a custom JwtDecoder you can use that does that:
DefaultJWTProcessor<SecurityContext> processor = new DefaultJWTProcessor<>();
JwtDecoder plain = (token) -> {
try {
JWT parsed = PlainJWT.parse(s);
JWTClaimsSet claims = processor.process(parsed, null);
return Jwt.withTokenValue(token)
.headers((h) -> h.putAll(parsed.getHeader().toJSONObject()))
.claims((c) -> c.putAll(claims.getClaims()))
.build();
} catch (Exception ex) {
throw new JwtException(...);
}
}
Such a JwtDecoder relies on Nimbus to validate the JWT, which is quite a bit simpler since there is no signature verification wanted.