cdelmas cdelmas - 5 months ago 48
Java Question

Encoding of security.oauth2.resource.jwt.key-value

I use Spring Boot with the spring-security-oauth2 module to build a RESTful API.
I also have an (external) auth server delivering JWT, and a secret key to verify the signature (

security.oauth2.resource.jwt.key-value
); the algorithm is HMAC.

The problem is that the key is base 64 url encoded, and as far as I understand reading the source code, the property
security.oauth2.resource.jwt.key-value
must be plain text.

I tried to manually decode the key and set it in the external configuration file, but this doesn't work.

So the question is: what can I do? Is there a way to decode it on the fly before the beans are configured? Another suggestions?

Thanks in advance.

Answer

I understand the problem: I decode the Base 64 url encoded String using this code :

final Base64.Decoder decoder = Base64.getUrlDecoder();
final byte[] decoded = decoder.decode(key.getBytes());

This uses the default platform encoding (UTF-8 in my case). Then I re-encode it to String in order to be set to the JwtAccessTokenConverter with

String decodedKey = new String(decoded);

Later, the JwtAccessTokenConverter creates an instance of MacSigner with this String as parameter; its constructor gets the bytes from the String:

...
new SecretKeySpec(key.getBytes(), ...);

Finally, when trying to verify the JWT signature, it fails.

In fact that cannot work, because there is an information loss while transforming back to String:

assertThat(decoded, equalTo(decodedKey.getBytes)); // fails!

So the solution is to build a MacSigner with the decoded byte array. I need to reimplement the JwtAccessTokenConverter.

Comments