javaspring-bootspring-securityjwtadfs

ADFS JWT integration with 2 issuers


I am trying to authorize the application with adfs. FOr many days I though the problem is with the authorization itself

How to get access to the REST endpoints based on roles that are coming from payload claim JWT

However I discovered that in adfs you have an issuer path but also an access_token_issuer. After analyzing the calls for adfs I relizaed that both the issuer and access token issuer needs to be somehow specified. Without the issuer there is no access to the wellknown and without the access-token-issuer the token is not checked agains the correct issuer. Did anyone expeienced this and has any clue how to modify the JWT decoder to use the issuer and access-token issuer as well.

  issueruri = adfs uri that has also the well known config
   accessIssuerUri = the one that I receive in the claims in the iss

  @Bean
 public JwtDecoder jwtDecoder() {
     return NimbusJwtDecoder.withIssuerLocation(this.issuerUri).build();
  }

The complete code is also in the question that I added as a link.

openId config contains something like this

{
    "issuer": "https://base-url/adfs",
    "authorization_endpoint": "https://base-url/adfs/oauth2/authorize/",
    "token_endpoint": "https://base-url/adfs/oauth2/token/",
    "jwks_uri": "https://base-url/adfs/discovery/keys",
....
    "access_token_issuer": "http://base-url/adfs/services/trust",
 .....
}

is the issuer or access_token_issuer the one that I have to add in my decoder and also in appllication properties

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: 
          jwk-set-uri:  

Solution

  • Set jwk-set-uri in yaml with the value of jwks_uri in your openid-configuration and either:

    Spring Security uses issuer-uri for two things if present:

    Issuer validation is optional (as well as audience one). Only required validation is token signature, reason for Spring Security needing the JWK-set (either provided explicitly or infered from issuer URI).