spring-bootoauth-2.0fusionauth

Spring cloud gateway with fusionauth custom tenant


I am not sure if this is a bug with Spring Boot or not, question is I have created a tenant in fusionauth with the issuer "anyissuer", then I configured a spring cloud gateway with spring boot 3.2.1 using spring-boot-starter-oauth2-resource-server with:

spring.security.oauth2.resourceserver.jwt.issuer-uri=http://localhost:9011/.well-known/openid-configuration/018d642c-e707-7349-95c7-ead15f625746
spring.security.oauth2.resourceserver.jwt.audiences[0]=018d642c-a7e8-75b1-96af-1ea04c3b0faa

so doing this, when I tried to access some secure url, I am having the error: The Issuer "anyissuer" provided in the configuration did not match the requested issuer "http://localhost:9011/.well-known/openid-configuration/018d6028-e976-7aef-8d35-d65386e6b448"

however in http://localhost:9011/.well-known/openid-configuration/018d6028-e976-7aef-8d35-d65386e6b448 the issuer in the response is "anyissuer".

I have found in the org.springframework.boot.autoconfigure.security.oauth2.resource.reactive.ReactiveOAuth2ResourceServerJwkConfiguration class that in this method

@Bean
        @ConditionalOnProperty(
            name = {"spring.security.oauth2.resourceserver.jwt.jwk-set-uri"}
        )
        ReactiveJwtDecoder jwtDecoder(ObjectProvider<JwkSetUriReactiveJwtDecoderBuilderCustomizer> customizers) {
            NimbusReactiveJwtDecoder.JwkSetUriReactiveJwtDecoderBuilder builder = NimbusReactiveJwtDecoder.withJwkSetUri(this.properties.getJwkSetUri()).jwsAlgorithms(this::jwsAlgorithms);
            customizers.orderedStream().forEach((customizer) -> {
                customizer.customize(builder);
            });
            NimbusReactiveJwtDecoder nimbusReactiveJwtDecoder = builder.build();
            String issuerUri = this.properties.getIssuerUri();
            OAuth2TokenValidator<Jwt> defaultValidator = issuerUri != null ? JwtValidators.createDefaultWithIssuer(issuerUri) : JwtValidators.createDefault();
            nimbusReactiveJwtDecoder.setJwtValidator(this.getValidators(defaultValidator));
            return nimbusReactiveJwtDecoder;
        } 

it is creating the issuer validator with the value of spring.security.oauth2.resourceserver.jwt.issuer-uri property instead of the value of issuer in the response of http://localhost:9011/.well-known/openid-configuration/018d642c-e707-7349-95c7-ead15f625746

So to sum up, is there a way to configure oauth2 resource server with spring boot 3.2.1 to get the openid-configuration from the tenant (resolved specifying http://localhost:9011/.well-known/openid-configuration/018d642c-e707-7349-95c7-ead15f625746 in the spring.security.oauth2.resourceserver.jwt.issuer-uri property) and having a jwtDecorder working properly with de issuer?

The only way I have made this "working" is changing my tenant issuer to be http://localhost:9011/.well-known/openid-configuration/018d642c-e707-7349-95c7-ead15f625746


Solution

  • The value of the spring.security.oauth2.resourceserver.jwt.issuer-uri property is not an URI pointing at the OpenID configuration, it is the value of the issuer claim (iss) in access tokens, and this claim should contain a URI (the same as what you find inside the OpenID configuration, not the URI of the configuration).

    The primary function of this property is to configure an issuer validator in the JWT decoder. If the OpenID configuration cannot be guessed from the issuer (like because of this UUID in it), then you'll have to configure the jwk-set-uri property (with the value you find in OpenID conf for the JWK-set endpoint), and you might leave issuer-uri empty (no issuer validator) or set it with exactly what is set as iss claim in access tokens.