Issue
I have a problem on a Spring Boot microservice about the token decryption part in spring security. Basically the following problem occurs: when calling the getSubject() method on @AuthenticationPrincipal Jwt jwt the following error occurs
Caused by: java.lang.IllegalStateException: The Issuer "https://ids-for-spid.aqp.it:443/oauth2/token" provided in the configuration did not match the requested issuer "https://clidens1.aqp.it:9443/oauth2/token"
I guess this is due to the following condition: in the well-known file there is an issuer with a different url base than the one passed to the library (I guess because there is a proxy or gateway), how could I solve the following problem?
Specifically, the url to access the well-known file is the following https://clidens1.aqp.it:9443/oauth2/token/.well-known/openid-configuration ed and inside there is the following issuer https://ids-for-spid.aqp.it/oauth2/token, which differs from the base url clidens1.aqp.it on which I have the only accessibility.
Solution
During JWT validation, token iss
claim is checked against the issuer URI in your conf. It must match exactly (even trailing slash is important if any).
For token validation, the Authorization server public key is also required. It is fetched using JWK-set URI, generally found in OIDC configuration, itself generally available from a location deduced from th iss
claim value.
If the host declared in iss
claim is not reachable from resource-server, have you tried to set JWK-set URI property too? Something like:
# this must be the exact iss claim value
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://clidens1.aqp.it:9443/oauth2/token
# actual value to use is the "jwks_uri" in https://clidens1.aqp.it:9443/oauth2/token/.well-known/openid-configuration
# with hostname and port reachable from resource-server (spring-app this properties file belongs to)
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://ids-for-spid.aqp.it:9443/oauth2/token/protocol/openid-connect/certs
If this hostname in the iss
claim is not reachable by anyone, have you tried to configure your authorization-server to change the value of iss
claim?
In Keycloak setting hostname
configuration property would solve your problem, but you're obviously using another authorisation-server.
Answered By - ch4mp
Answer Checked By - Timothy Miller (JavaFixing Admin)