https://github.com/itzg/try-oauth2-validate-aud
https://github.com/itzg/try-oauth2-validate-aud
Last synced: about 1 year ago
JSON representation
- Host: GitHub
- URL: https://github.com/itzg/try-oauth2-validate-aud
- Owner: itzg
- Created: 2020-05-02T22:48:02.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2020-05-02T22:49:48.000Z (about 6 years ago)
- Last Synced: 2025-03-04T04:41:46.591Z (over 1 year ago)
- Language: Java
- Size: 53.7 KB
- Stars: 1
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
This project tries out [customizing the Spring Security OAuth2 JWT validator](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2resourceserver-jwt-validation-custom).
Specifically, it customizes
- The choice of RS256 or HS256, where Spring Boot resource servers [by default only support RS256](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2resourceserver-jwt-decoder-algorithm)
- Validation of the JWT token to include validation an expected audience value
The bulk of the code is in `JwtConfig` which uses the properties bean `ApiSecurityProperties`. It supports both RS256 and HS256 signing algorithms.
For RS256 the properties need to be
- `api.security.signing-algorithm=rs256`
- `api.security.issuer-uri=...`
- `api.security.audience=...`
- optionally `api.security.jwkSetUri`, if not specified ".well-known/jwks.json" is appended to `issuer-uri`
For HS256 the properties need to be
- `api.security.signing-algorithm=hs256`
- `api.security.issuer-uri=...`
- `api.security.audience=...`
- `api.security.key=...`