Home > Back-end >  JWT doesn't contain iss claim
JWT doesn't contain iss claim

Time:01-05

I'm using a Spring Boot application as a resource server, and it needs to validate the JWTs. But I'm always getting the following error on a request:

Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: The iss claim is not valid", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

The issurer URI is set correct in the application.properties by the following line:

spring.security.oauth2.resourceserver.jwt.issuer-uri=<IssuerUri> 

But I found out, that my JWT doesn't contain a claim which contains the issuer URI. Is there any way to override the validation for the issuer URI in Spring Boot?

I already tried to find a config in the WebSecurityConfigurerAdapter configurations to toggle the validation off. But I haven't found anything.

CodePudding user response:

I think I found the configuration I was looking for. You can override the issuer uri from the JWT in the WebSecurityConfigurerAdapter

@Override
protected void configure(HttpSecurity http) throws Exception {
  http.oauth2ResourceServer().jwt().jwkSetUri("<IssuerUri>");
}

CodePudding user response:

If you are using Keycloak as Auth Server, this error can sometimes happen on local dev setup, when the Auth Server and Resource Server are running in a docker container, and the token was requested using the access token URL which points to localhost instead of the Auth Server's container name.

If you provide the host name of the access token url as localhost, Keycloak will add the iss claims to the token with the host as localhost, now when the resource server running in a container tries to validate the token against the Auth Server, it tries to contact it's own localhost instead of calling the AuthServer container.

The solution in this case, is to provide the container name as host name while requesting access token.

I explained this in detail in this video - youtu.be/5_EXMJbhLY4?t=2519

  • Related