I use Spring Boot with the spring-security-oauth2 module to build a RESTful API.
I also have an (external) auth server delivering JWT, and a secret key to verify the signature (
I understand the problem: I decode the Base 64 url encoded String using this code :
final Base64.Decoder decoder = Base64.getUrlDecoder(); final byte decoded = decoder.decode(key.getBytes());
This uses the default platform encoding (UTF-8 in my case). Then I re-encode it to String in order to be set to the
String decodedKey = new String(decoded);
JwtAccessTokenConverter creates an instance of
MacSigner with this String as parameter; its constructor gets the bytes from the String:
... new SecretKeySpec(key.getBytes(), ...);
Finally, when trying to verify the JWT signature, it fails.
In fact that cannot work, because there is an information loss while transforming back to String:
assertThat(decoded, equalTo(decodedKey.getBytes)); // fails!
So the solution is to build a
MacSigner with the decoded byte array. I need to reimplement the JwtAccessTokenConverter.