spring-securityopenamspring-oauth2forgerock

An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found


I am trying setup OAuth2-OpenID Connect with ForgeRock OpenAM integrated with spring security and am getting the following error

2019-06-17 15:01:42.576 DEBUG 62255 --- [nio-8090-exec-2] .o.s.r.w.BearerTokenAuthenticationFilter : 
Authentication request for failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: 
An error occurred while attempting to decode the Jwt: 
Signed JWT rejected: Another algorithm expected, or no matching key(s) found

The Jwk .well-known uri returns the following supported algorithms:

"id_token_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ]

The decoded JWT shows the following header:

{
  "typ": "JWT",
  "zip": "NONE",
  "alg": "HS256"
}

Is there a way I can set a specific JwtDecoder based on the value coming from the header or enforce AM to use one particular algorithm?


Solution

  • The issue was with the configuration in the Access Management on the token encryption. It was blank but for some reason the JWT header showed HS256, that caused spring to look for the HS256 private key and fail. After I changed the setting to use RS256, everything started working.