Skip to content

Fix ClassCastException in JwtDecoders fromIssuerLocation #9658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 20, 2021

Conversation

tiborkoch
Copy link
Contributor

Fix for #9651

Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, @tiborkoch! Please see my review comments inline.

In addition, would you please include the issue number in your squashed Git commit? Something like this:

Fix ClassCastException

Closes gh-9651

@jzheaux jzheaux merged commit 5da472f into spring-projects:master Apr 20, 2021
@jzheaux
Copy link
Contributor

jzheaux commented Apr 20, 2021

Thanks, @tiborkoch! This is now merged into master.

@jzheaux jzheaux added this to the 5.5.0 milestone Apr 20, 2021
@jzheaux jzheaux self-assigned this Apr 20, 2021
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Apr 20, 2021
@jzheaux jzheaux modified the milestones: 5.5.0, 5.5.0-RC2 Apr 27, 2021
@Blockost
Copy link

Blockost commented Feb 20, 2022

I'm having the exact same issue but with [email protected]. I set spring.security.oauth2.resourceserver.jwt.jwk-set-uri to my Auth0 endpoint but without success.

The line that raises the error is the one at 411 of class NimbusReactiveJwtDecoder:

private JWKSelector createSelector(Function<JWSAlgorithm, Boolean> expectedJwsAlgorithms, Header header) {
	JWSHeader jwsHeader = (JWSHeader) header; // <--- Error thrown here !
	if (!expectedJwsAlgorithms.apply(jwsHeader.getAlgorithm())) {
		throw new BadJwtException("Unsupported algorithm of " + header.getAlgorithm());
	}
	return new JWKSelector(JWKMatcher.forJWSHeader(jwsHeader));
}

I'm using:

  • spring boot 2.6.3 and spring-boot-starter-oauth2-resource-server
  • It's using ReactiveJwtDecoder because I'm building an app with RSocket and spring-boot-starter-rsocket

Not sure what I can do to fix this... 🤔

@dhaeb
Copy link

dhaeb commented Mar 4, 2024

@Blockost how did you deal with this issue? We created our own NimbusReactiveJwtDecoder but are not happy to maintain this code.
It seems like that:
NimbusJwtDecoder.withJwkSetUrican handle JWE, the reactive version NimbusReactiveJwtDecoder.withJwkSetUri does not work for us...

We are using Spring Security version 6.1.6
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants