Search code examples
javaspring-bootspring-securityjwtadfs

ADFS JWT integration with 2 issuers

I am trying to authorize the application with adfs. FOr many days I though the problem is with the authorization itself

How to get access to the REST endpoints based on roles that are coming from payload claim JWT

However I discovered that in adfs you have an issuer path but also an access_token_issuer. After analyzing the calls for adfs I relizaed that both the issuer and access token issuer needs to be somehow specified. Without the issuer there is no access to the wellknown and without the access-token-issuer the token is not checked agains the correct issuer. Did anyone expeienced this and has any clue how to modify the JWT decoder to use the issuer and access-token issuer as well.

  issueruri = adfs uri that has also the well known config
   accessIssuerUri = the one that I receive in the claims in the iss

  @Bean
 public JwtDecoder jwtDecoder() {
     return NimbusJwtDecoder.withIssuerLocation(this.issuerUri).build();
  }

The complete code is also in the question that I added as a link.

openId config contains something like this

{
    "issuer": "https://base-url/adfs",
    "authorization_endpoint": "https://base-url/adfs/oauth2/authorize/",
    "token_endpoint": "https://base-url/adfs/oauth2/token/",
    "jwks_uri": "https://base-url/adfs/discovery/keys",
....
    "access_token_issuer": "http://base-url/adfs/services/trust",
 .....
}

is the issuer or access_token_issuer the one that I have to add in my decoder and also in appllication properties

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: 
          jwk-set-uri:
Solution

  • Set jwk-set-uri in yaml with the value of jwks_uri in your openid-configuration and either:

    • remove issuer-uri from yaml (disables iss claim validation)
    • set issuer-uri with exactly the value of iss claim in your access tokens (case and trailing slash, if any, are important)

    Spring Security uses issuer-uri for two things if present:

    • if jwk-set-uri property is missing (and only in that case) , try to fetch OpenID configuration from well known path and try to get jwks_uri from it
    • add an issuer validator to the JWT decoder (checks that the iss claim in access tokens is exactly the value you provide as issuer-uri)

    Issuer validation is optional (as well as audience one). Only required validation is token signature, reason for Spring Security needing the JWK-set (either provided explicitly or infered from issuer URI).