[FIXED] com.nimbusds.jose.JWEHeader cannot be cast to class com.nimbusds.jose.JWSHeader

Issue

I am getting below error for spring-security using Spring Boot 2.7.3

[or-http-epoll-1] o.s.s.w.s.a.AuthenticationWebFilter: 
Authentication failed: An error occurred while attempting to decode the Jwt: 
class com.nimbusds.jose.JWEHeader cannot be cast to class 
com.nimbusds.jose.JWSHeader (com.nimbusds.jose.JWEHeader and 
com.nimbusds.jose.JWSHeader are in unnamed module of loader 
org.springframework.boot.loader.LaunchedURLClassLoader @43da41e)

I suspect the following cast inside this method is causing the error:

import org.springframework.security.oauth2.jwt.Jwt
import org.springframework.security.oauth2.jwt.JwtValidators
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoders

@Bean
fun jwtDecoder(properties: OAuth2ResourceServerProperties): ReactiveJwtDecoder {
    val issuerUri = properties.jwt.issuerUri
    val jwtDecoder = ReactiveJwtDecoders.fromOidcIssuerLocation(issuerUri) as NimbusReactiveJwtDecoder

    val audienceValidator: OAuth2TokenValidator<Jwt> = AudienceValidator(audience)
    val withIssuer: OAuth2TokenValidator<Jwt> = JwtValidators.createDefaultWithIssuer(issuerUri)
    val withAudience: OAuth2TokenValidator<Jwt> = DelegatingOAuth2TokenValidator(withIssuer, audienceValidator)

    jwtDecoder.setJwtValidator(withAudience)
    return jwtDecoder
}

We're using Auth0 as a provider.

Solution

Turns out we were sending an Opaque Access token according to Auth0. We needed to specify the audience on our ApiProvider for React Frontend:

<Auth0Provider
    domain={domain}
    clientId={clientId}
    redirectUri={window.location.origin}
    onRedirectCallback={onRedirectCallback}
    audience={auth0Audience}
>

Also needed to disable RDBAC as we're not using Scoped APIs:

Lastly jwt.io was a great tool in testing our JWT tokens. We were expecting RS256 Algorithm typed tokens, but were getting DIR types when getting opaque tokens when testing against it.

Answered By - Sami
Answer Checked By - Gilberto Lyons (JavaFixing Admin)