JWE in Spring Security OAuth2 JWT

Is it possible to use JSON Web Encryption(JWE) with Spring Security OAuth2 JWT ?

Right now I have a following JwtAccessTokenConverter:

@Bean
public JwtAccessTokenConverter accessTokenConverter() {
    JwtAccessTokenConverter converter = new JwtAccessTokenConverter() {

        @Override
        public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
            DBUserDetails user = (DBUserDetails) authentication.getUserAuthentication().getPrincipal();
            final Map<String, Object> additionalInfo = new HashMap<>();
            additionalInfo.put("user_id", user.getUser().getId());
            ((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
            OAuth2AccessToken enhancedToken = super.enhance(accessToken, authentication);
            return enhancedToken;
        }

    };

    converter.setSigningKey(jwtAccessTokenConverterSigningKey);

    DefaultAccessTokenConverter accessTokenConverter = new DefaultAccessTokenConverter();
    DefaultUserAuthenticationConverter userTokenConverter = new DefaultUserAuthenticationConverter();
    userTokenConverter.setUserDetailsService(userDetailsService);
    accessTokenConverter.setUserTokenConverter(userTokenConverter);

    converter.setAccessTokenConverter(accessTokenConverter);

    return converter;
}

How to add JWE support here ?

You can use opaque token support in Spring Oauth2 resource-server. That would mean your users can provide encoded JWT tokens (JWE) and your Spring backend application will be able to convert the token to Principal object without any additional code.

This is possible if your OAuth2 server provides the introspection endpoint.

With spring-boot-starter-oauth2-resource-server:3.1.2 the configuration is as simple as:

spring.security.oauth2.resourceserver:
    opaque-token:
      introspection-uri: <your oauth2 server introspect url>
      client-id: <clientId>
      client-secret: <clientSecret>

In Java config you enable opaque token support by adding to the SecurityWebFilterChain:

http.oauth2ResourceServer(rs -> rs.opaqueToken(Customizer.withDefaults()))

Documentation: Spring Security 6.1.2 docs

Recommended topics

Hot tags