I am trying to authorize the application with adfs. FOr many days I though the problem is with the authorization itself
How to get access to the REST endpoints based on roles that are coming from payload claim JWT
However I discovered that in adfs you have an issuer path but also an access_token_issuer. After analyzing the calls for adfs I relizaed that both the issuer and access token issuer needs to be somehow specified. Without the issuer there is no access to the wellknown and without the access-token-issuer the token is not checked agains the correct issuer. Did anyone expeienced this and has any clue how to modify the JWT decoder to use the issuer and access-token issuer as well.
issueruri = adfs uri that has also the well known config
accessIssuerUri = the one that I receive in the claims in the iss
@Bean
public JwtDecoder jwtDecoder() {
return NimbusJwtDecoder.withIssuerLocation(this.issuerUri).build();
}
The complete code is also in the question that I added as a link.
openId config contains something like this
{
"issuer": "https://base-url/adfs",
"authorization_endpoint": "https://base-url/adfs/oauth2/authorize/",
"token_endpoint": "https://base-url/adfs/oauth2/token/",
"jwks_uri": "https://base-url/adfs/discovery/keys",
....
"access_token_issuer": "http://base-url/adfs/services/trust",
.....
}
is the issuer or access_token_issuer the one that I have to add in my decoder and also in appllication properties
spring:
security:
oauth2:
resourceserver:
jwt:
issuer-uri:
jwk-set-uri:
Set jwk-set-uri
in yaml with the value of jwks_uri
in your openid-configuration and either:
issuer-uri
from yaml (disables iss
claim validation)issuer-uri
with exactly the value of iss
claim in your access tokens (case and trailing slash, if any, are important)Spring Security uses issuer-uri
for two things if present:
jwk-set-uri
property is missing (and only in that case) , try to fetch OpenID configuration from well known path and try to get jwks_uri
from itiss
claim in access tokens is exactly the value you provide as issuer-uri
)Issuer validation is optional (as well as audience one). Only required validation is token signature, reason for Spring Security needing the JWK-set (either provided explicitly or infered from issuer URI).