Skip to content

JwtDecoders from issuer uri produces ClassCastException #9651

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tiborkoch opened this issue Apr 17, 2021 · 9 comments
Closed

JwtDecoders from issuer uri produces ClassCastException #9651

tiborkoch opened this issue Apr 17, 2021 · 9 comments
Assignees
@jzheaux @tiborkoch
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Milestone
5.5.0-RC2

Comments

@tiborkoch
Copy link
Contributor

Describe the bug
Using the latest Spring Boot snapshot version (2.5.0-SNAPSHOT) that has Spring Security 5.5.0-RC1 as dependency, a ClassCastException is thrown when creating a JwtDecoder from an issuer uri.

Caused by: java.lang.ClassCastException: class com.nimbusds.jose.Algorithm cannot be cast to class com.nimbusds.jose.JWSAlgorithm (com.nimbusds.jose.Algorithm and com.nimbusds.jose.JWSAlgorithm are in unnamed module of loader 'app')
	at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getSignatureAlgorithms(JwtDecoderProviderConfigurationUtils.java:93) ~[spring-security-oauth2-jose-5.5.0-RC1.jar:5.5.0-RC1]

It can be fixed by using

JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(jwk.getAlgorithm().getName());
jwsAlgorithms.add(jwsAlgorithm);

instead of casting.

To Reproduce
Start the app in the provided repository.

Expected behavior
No errors on startup.

Sample
https://github.com/tiborkoch/spring-security-oauth2resourceserver
@tiborkoch tiborkoch added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Apr 17, 2021
@ubaid4j
Copy link
Contributor

ubaid4j commented Apr 18, 2021
edited
Loading

I was testing latest Spring Boot snapshot version (2.5.0-SNAPSHOT) and I got the same above issue. Folllowing is the stacktrace:
Spring Boot Version: 2.5.0-SNAPSHOT
Spring Security Version: 5.5.0-RC1

Caused by: java.lang.ClassCastException: class com.nimbusds.jose.Algorithm cannot be cast to class com.nimbusds.jose.JWSAlgorithm (com.nimbusds.jose.Algorithm and com.nimbusds.jose.JWSAlgorithm are in unnamed module of loader 'app')
	at org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getSignatureAlgorithms(JwtDecoderProviderConfigurationUtils.java:93) ~[spring-security-oauth2-jose-5.5.0-RC1.jar:5.5.0-RC1]
	at org.springframework.security.oauth2.jwt.JwtDecoders.withProviderConfiguration(JwtDecoders.java:122) ~[spring-security-oauth2-jose-5.5.0-RC1.jar:5.5.0-RC1]
	at org.springframework.security.oauth2.jwt.JwtDecoders.fromIssuerLocation(JwtDecoders.java:102) ~[spring-security-oauth2-jose-5.5.0-RC1.jar:5.5.0-RC1]
	at com.ubaid.ms.countryservice.config.SecurityConfig.jwtDecoder(SecurityConfig.java:41) ~[classes/:na]
	at com.ubaid.ms.countryservice.config.SecurityConfig$$EnhancerBySpringCGLIB$$7ab3f55b.CGLIB$jwtDecoder$0(<generated>) ~[classes/:na]
	at com.ubaid.ms.countryservice.config.SecurityConfig$$EnhancerBySpringCGLIB$$7ab3f55b$$FastClassBySpringCGLIB$$70b6db75.invoke(<generated>) ~[classes/:na]
	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244) ~[spring-core-5.3.6.jar:5.3.6]
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331) ~[spring-context-5.3.6.jar:5.3.6]
	at com.ubaid.ms.countryservice.config.SecurityConfig$$EnhancerBySpringCGLIB$$7ab3f55b.jwtDecoder(<generated>) ~[classes/:na]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78) ~[na:na]
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
	at java.base/java.lang.reflect.Method.invoke(Method.java:567) ~[na:na]
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.3.6.jar:5.3.6]
	... 61 common frames omitted

@ubaid4j ubaid4j mentioned this issue Apr 18, 2021
Closed
@jgrandja
Copy link
Contributor

Thanks for the report @tiborkoch. I was able to reproduce the same issue with the provided sample.

The fix you suggested is correct. Would you be interested in submitting a PR for this fix?

@jgrandja jgrandja self-assigned this Apr 19, 2021
@jgrandja jgrandja added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 19, 2021
@jgrandja jgrandja added this to the 5.5.0 milestone Apr 19, 2021
@jgrandja jgrandja changed the title JwtDecoder creation from issuer uri JwtDecoders from issuer uri produces ClassCastException Apr 19, 2021
@wsaca
Copy link

wsaca commented Apr 19, 2021

@tiborkoch I didnt have enough time to fix this issue, but if you can do it I share with you the old issue.

@jgrandja jgrandja assigned jzheaux and unassigned jgrandja Apr 19, 2021
@tiborkoch
Copy link
Contributor Author

@jgrandja @wsaca I'll do it, will try to submit the pr in a few days

@tiborkoch tiborkoch mentioned this issue Apr 20, 2021
Merged
@tiborkoch
Copy link
Contributor Author

Fixed in #9658

@RobertHeim RobertHeim mentioned this issue Apr 20, 2021
Closed
@RobertHeim
Copy link

Is there a workaround until the fix is released?

@jzheaux
Copy link
Contributor

jzheaux commented Apr 20, 2021

Hi, @RobertHeim, yes, you can create the NimbusJwtDecoder instance directly, like so:

@Bean 
JwtDecoder jwtDecoder() {
    String issuerUri = ...;
    String jwkSetUri = ...;
    OAuth2TokenValidator<Jwt> validator = JwtValidators.createDefaultWithIssuer(issuerUri);
    NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwtSetUri(jwkSetUri).build();
    jwtDecoder.setJwtValidator(validator);
    return jwtDecoder;
}

tiborkoch added a commit to tiborkoch/spring-security that referenced this issue Apr 20, 2021
@tiborkoch
Fix ClassCastException
595fa69 
Closes spring-projectsgh-9651
jzheaux added a commit that referenced this issue Apr 20, 2021
@jzheaux
Update Copyright
b001189 
Issue gh-9651
@jzheaux
Copy link
Contributor

jzheaux commented Apr 20, 2021

Or, if you are a Spring Boot application, then you can instead do:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://auth.example.org/issuer
          jwk-set-uri: https://auth.example.org/jwks

@RobertHeim
Copy link

Thanks for the fast feedback. That works!

@jzheaux jzheaux modified the milestones: 5.5.0, 5.5.0-RC2 Apr 27, 2021
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@tiborkoch
Fix ClassCastException
0ed57ad 
Closes spring-projectsgh-9651
akohli96 pushed a commit to akohli96/spring-security that referenced this issue Aug 25, 2021
@jzheaux
Update Copyright
07f7b30 
Issue spring-projectsgh-9651
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

@tiborkoch tiborkoch

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug
Projects
None yet
Milestone
5.5.0-RC2
Development

No branches or pull requests
6 participants
@RobertHeim @jzheaux @wsaca @tiborkoch @jgrandja @ubaid4j