When calling
oauth/token_key
To retrieve the OAuth public key for example
{
"alg":"SHA256withRSA",
"value":"-----BEGIN PUBLIC KEY----- nMAABIjANBgkq… -----END PUBLIC KEY-----"
}
How do we pass the credentials when calling this via Spring OAUTH.
Previously it seems these properties were set with
security.oauth2.resource.jwt.key-uri=http://localhost:8080/oauth/token_key
security.oauth2.client.client-id=clientID
security.oauth2.client.client-secret=clientPassword
In the migration guide I cannot see any appropriate migration for this or via the config.
As we now use config like this I believe to set the jwt.key-uri
spring.security.oauth2.client.resourceserver.jwt.jwk-set-uri=
But no equivalent place to set any id or secret.
Thanks
So it is probably an edge case that a public key is protected like this and legacy OAuth server. I could not find any documentation at this time to describe a solution that worked. It does seem like that Spring Security OAuth is in a large transition. I did not want to roll back to deprecated code so I defined my own bean for the NimbusReactiveJWTDecoder.
This allowed me to pass basic auth when getting the public key at start up time of the application.
Sample code in Koltin is:
@Bean
fun jwtDecoderByPublicKey(webclient: WebClient): NimbusReactiveJWTDecorder? {
webclient
.get()
.headers { headers -> headers.setBasicAuth("username","password") }
.retrieve()
.bodyToMono<>()
.map {
KeyFactory.getInstance("RSA")
.generatePublic(X509EncodedKeySpec(getKeySpec(it.value))) as RSAPublicKey
}
.map {
NimbusReactiveJWTDecoder.withPublicKey(it)
.signatureAlgorithm(SignatureAlgorithm.form("RS256")).build()
}.block()
Code inspired by the auto configuration bean if property given.
Current best solution I can find.