I'm using auth0-angular to get getAccessTokenSilently() and send the access_token to my backend server using authorization: Bearer blablabla
When I try to make a request with this header my Spring security configuration starts throwing errors.
the error im getting:
Caused by: org.springframework.security.oauth2.jwt.JwtException: An error occurred while attempting to decode the Jwt: class com.nimbusds.jose.JWEHeader cannot be cast to class com.nimbusds.jose.JWSHeader (com.nimbusds.jose.JWEHeader and com.nimbusds.jose.JWSHeader are in unnamed module of loader 'app')
security configuration:
@EnableWebFluxSecurity
@Configuration
public class SecurityConfig {
@Value("${spring.security.oauth2.resourceserver.jwk.issuer-uri}")
private String issuerUri;
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http){
http.authorizeExchange()
.pathMatchers(HttpMethod.GET,"/inventory/**").authenticated()
.anyExchange().authenticated()
.and()
.oauth2ResourceServer()
.jwt();
return http.build();
}
@Bean
public ReactiveJwtDecoder jwtDecoder() {
return ReactiveJwtDecoders.fromOidcIssuerLocation(issuerUri);
}
}
Is there something wrong in my setup? I followed the spring setup from https://auth0.com/blog/introduction-getting-started-with-spring-webflux-api/
Also, this is how im getting the invalid access token from auth0 sdk
test(){
this.auth.getAccessTokenSilently({"authorizationParams": {"redirectUri": "http://localhost:4200","audience": "https://dev-wwoccmoasz15dfgd.us.auth0.com/userinfo", "scope": "openid profile"}})
.subscribe(a => {
console.log(a);
})
}
Have you configured Angular to send an audience parameter? If you don't, the access token returned with not be a JWT. You can copy/paste the access token into jwt.io to see if it's valid. Here's what the config should look like with an audience.
const config = {
domain: 'dev-06bzs1cu.us.auth0.com',
clientId: 'y3RlJzTl68eZOQyGqA0yGiJla7fyaZ88',
authorizationParams: {
audience: 'https://dev-06bzs1cu.us.auth0.com/api/v2/',
redirect_uri: window.location.origin + '/home'
},
httpInterceptor: {
allowedList: ['http://localhost:8080/*']
},
};