Home > Software engineering >  Configure Spring Security OIDC/OAuth2 Behind a Gateway/Proxy
Configure Spring Security OIDC/OAuth2 Behind a Gateway/Proxy

Time:11-19

I have a problem on a Spring Boot microservice about the token decryption part in spring security. Basically the following problem occurs: when calling the getSubject() method on @AuthenticationPrincipal Jwt jwt the following error occurs

Caused by: java.lang.IllegalStateException: The Issuer "https://ids-for-spid.aqp.it:443/oauth2/token" provided in the configuration did not match the requested issuer "https://clidens1.aqp.it:9443/oauth2/token"

I guess this is due to the following condition: in the well-known file there is an issuer with a different url base than the one passed to the library (I guess because there is a proxy or gateway), how could I solve the following problem?

Specifically, the url to access the well-known file is the following https://clidens1.aqp.it:9443/oauth2/token/.well-known/openid-configuration ed and inside there is the following issuer https://ids-for-spid.aqp.it/oauth2/token, which differs from the base url clidens1.aqp.it on which I have the only accessibility.

CodePudding user response:

During JWT validation, token iss claim is checked against the issuer URI in your conf. It must match exactly (even trailing slash is important if any).

For token validation, the Authorization server public key is also required. It is fetched using JWK-set URI, generally found in OIDC configuration, itself generally available from a location deduced from th iss claim value.

If the host declared in iss claim is not reachable from resource-server, have you tried to set JWK-set URI property too? Something like:

# this must be the exact iss claim value
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://clidens1.aqp.it:9443/oauth2/token

# actual value to use is the "jwks_uri" in https://clidens1.aqp.it:9443/oauth2/token/.well-known/openid-configuration
# with hostname and port reachable from resource-server (spring-app this properties file belongs to)
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://ids-for-spid.aqp.it:9443/oauth2/token/protocol/openid-connect/certs

If this hostname in the iss claim is not reachable by anyone, have you tried to configure your authorization-server to change the value of iss claim?

In Keycloak setting hostname configuration property would solve your problem, but you're obviously using another authorisation-server.

  • Related