Search code examples
spring-bootspring-securityspring-webfluxauth0

JWEHeader cannot be cast to class com.nimbusds.jose.JWSHeader

I'm using auth0-angular to get getAccessTokenSilently() and send the access_token to my backend server using authorization: Bearer blablabla

When I try to make a request with this header my Spring security configuration starts throwing errors.

the error im getting:

Caused by: org.springframework.security.oauth2.jwt.JwtException: An error occurred while attempting to decode the Jwt: class com.nimbusds.jose.JWEHeader cannot be cast to class com.nimbusds.jose.JWSHeader (com.nimbusds.jose.JWEHeader and com.nimbusds.jose.JWSHeader are in unnamed module of loader 'app')

security configuration:

@EnableWebFluxSecurity
@Configuration
public class SecurityConfig {

    @Value("${spring.security.oauth2.resourceserver.jwk.issuer-uri}")
    private String issuerUri;

    @Bean
    public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http){
        http.authorizeExchange()
                .pathMatchers(HttpMethod.GET,"/inventory/**").authenticated()
                .anyExchange().authenticated()
                .and()
                .oauth2ResourceServer()
                .jwt();
        return http.build();
    }

    @Bean
    public ReactiveJwtDecoder jwtDecoder() {
        return ReactiveJwtDecoders.fromOidcIssuerLocation(issuerUri);
    }
}

Is there something wrong in my setup? I followed the spring setup from https://auth0.com/blog/introduction-getting-started-with-spring-webflux-api/

Also, this is how im getting the invalid access token from auth0 sdk

  test(){
    this.auth.getAccessTokenSilently({"authorizationParams": {"redirectUri": "http://localhost:4200","audience": "https://dev-wwoccmoasz15dfgd.us.auth0.com/userinfo", "scope": "openid profile"}})
    .subscribe(a => {
      console.log(a);
    })
  }
Solution

  • Have you configured Angular to send an audience parameter? If you don't, the access token returned with not be a JWT. You can copy/paste the access token into jwt.io to see if it's valid. Here's what the config should look like with an audience.

    const config = {
  domain: 'dev-06bzs1cu.us.auth0.com',
  clientId: 'y3RlJzTl68eZOQyGqA0yGiJla7fyaZ88',
  authorizationParams: {
    audience: 'https://dev-06bzs1cu.us.auth0.com/api/v2/',
    redirect_uri: window.location.origin + '/home'
  },
  httpInterceptor: {
    allowedList: ['http://localhost:8080/*']
  },
};