I have a problem on a Spring Boot microservice about the token decryption part in spring security. Basically the following problem occurs: when calling the getSubject() method on @AuthenticationPrincipal Jwt jwt the following error occurs
Caused by: java.lang.IllegalStateException: The Issuer "https://ids-for-spid.aqp.it:443/oauth2/token" provided in the configuration did not match the requested issuer "https://clidens1.aqp.it:9443/oauth2/token"
I guess this is due to the following condition: in the well-known file there is an issuer with a different url base than the one passed to the library (I guess because there is a proxy or gateway), how could I solve the following problem?
Specifically, the url to access the well-known file is the following https://clidens1.aqp.it:9443/oauth2/token/.well-known/openid-configuration ed and inside there is the following issuer https://ids-for-spid.aqp.it/oauth2/token, which differs from the base url clidens1.aqp.it on which I have the only accessibility.
During JWT validation, token iss
claim is checked against the issuer URI in your conf. It must match exactly (even trailing slash is important if any).
For token validation, the Authorization server public key is also required. It is fetched using JWK-set URI, generally found in OpenID configuration, itself generally available from a location deduced from th iss
claim value (${iss}/.well-known/openid-configuration
).
You should configure your authorization-server to use as iss
claim a URI that is reachable by other services and that can be used for OpenID auto-configuration.
In Keycloak setting hostname
configuration property would solve your problem, but you're obviously using another authorisation-server.