springspring-bootspring-securitymigrationspring-security-oauth2

Migrate org.springframework.security.jwt.Jwt


I have this old code:

Dependencies:

implementation 'org.springframework.security:spring-security-jwt:1.1.1.RELEASE'
implementation 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'

Code:

import org.springframework.security.jwt.Jwt;
import org.springframework.security.jwt.JwtHelper;
import org.springframework.security.oauth2.common.util.JsonParser;
import org.springframework.security.oauth2.common.util.JsonParserFactory;

private String extractCredentials(String accessTokenCookieValue) {
  Jwt jwt = JwtHelper.decode(accessTokenCookieValue);
  JsonParser objectMapper = JsonParserFactory.create();
  return objectMapper.parseMap(jwt.getClaims()).get("credentials").toString();
}

Do you know how I can migrate the to the latest version of Spring Security 6?

I tried to use:

import org.springframework.boot.json.JsonParser;
import org.springframework.security.oauth2.jwt.Jwt;

But I can't get dependencies for JwtHelper and JsonParserFactory:


Solution

  • You can use NimbusJwtDecoder. Note that it will also verify the signature, so you will need to provide a public key or a source of public keys to use it successfully.

    For example, you might construct one like this:

    NimbusJwtDecoder decoder = NimbusJwtDecoder
        .fromIssuerLocation("https://authz.example.org/issuer").build();
    

    And then you can decode like so:

    Jwt jwt = decoder.decode(accessTokenCookieValue);
    return jwt.getClaim("credentials").toString();
    

    That said, you might see if calling NimbusJwtDecoder directly is needed in the first place. Spring Security often invokes this for you, depending on whether you are a Client application or a Resource Server.