How to produce correct jwks endpoint for spring oauth2 jwt server?

Question

The Issued Goal

To configure /.well-known/jwks.json for my spring oauth2 jwt server with valid jwks.

1st Attempt

Following spring documentation I can use out the box Endpoint for JWK Set URI. It requires:

@Import(AuthorizationServerEndpointsConfiguration.class)

I've added. Checking mapped endpoints via actuator nothing filtered for jw.

2nd Attempt

Following the same configuration I tried to use next code:

import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
...

@FrameworkEndpoint
class JwkSetEndpoint {
    KeyPair keyPair;

    public JwkSetEndpoint(KeyPair keyPair) {
        this.keyPair = keyPair;
    }

    @GetMapping("/.well-known/jwks.json")
    @ResponseBody
    public Map<String, Object> getKey(Principal principal) {
        RSAPublicKey publicKey = (RSAPublicKey) this.keyPair.getPublic();
        RSAKey key = new RSAKey.Builder(publicKey).build();
        return new JWKSet(key).toJSONObject();
    }
}

It produces

{
  "keys" : [ {
    "kty" : "RSA",
    "e" : "AQAB",
    "n" : "mWI2jtKwvf0W1hdMdajch-mFx9FZe3CZnKNvT_d0-2O6V1Pgkz7L2FcQx2uoV7gHgk5mmb2MZUsy_rDKj0dMfLzyXqBcCRxD6avALwu8AAiGRxe2dl8HqIHyo7P4R1nUaea1WCZB_i7AxZNAQtcCcSvMvF2t33p3vYXY6SqMucMD4yHOTXexoWhzwRqjyyC8I8uCYJ-xIfQvaK9Q1RzKRj99IRa1qyNgdeHjkwW9v2Fd4O_Ln1Tzfnk_dMLqxaNsXPw37nw-OUhycFDPPQF_H4Q4-UDJ3ATf5Z2yQKkUQlD45OO2mIXjkWprAmOCi76dLB2yzhCX_plGJwcgb8XHEQ"
  } ]
}

Pinging resource server with access_token is failed:

{"error":"invalid_token","error_description":"Invalid JWT/JWS: kid is a required JOSE Header"}

3rd Attempt

Modifying response for "/.well-known/jwks.json" (jwt.io helps detect algorithm used for jwt):

        RSAKey key = new RSAKey.Builder(publicKey)
                .keyID("1")
                .keyUse(KeyUse.SIGNATURE)
                .algorithm(JWSAlgorithm.RS256)
                .build();

leads to next response:

{
  "keys" : [ {
    "kty" : "RSA",
    "e" : "AQAB",
    "use" : "sig",
    "kid" : "1",
    "alg" : "RS256",
    "n" : "mWI2jtKwvf0W1hdMdajch-mFx9FZe3CZnKNvT_d0-2O6V1Pgkz7L2FcQx2uoV7gHgk5mmb2MZUsy_rDKj0dMfLzyXqBcCRxD6avALwu8AAiGRxe2dl8HqIHyo7P4R1nUaea1WCZB_i7AxZNAQtcCcSvMvF2t33p3vYXY6SqMucMD4yHOTXexoWhzwRqjyyC8I8uCYJ-xIfQvaK9Q1RzKRj99IRa1qyNgdeHjkwW9v2Fd4O_Ln1Tzfnk_dMLqxaNsXPw37nw-OUhycFDPPQF_H4Q4-UDJ3ATf5Z2yQKkUQlD45OO2mIXjkWprAmOCi76dLB2yzhCX_plGJwcgb8XHEQ"
  } ]
}

Pinging resource server with access_token provides the same result:

{"error":"invalid_token","error_description":"Invalid JWT/JWS: kid is a required JOSE Header"}

Question

Is any ideas or examples how to configure /.well-known/jwks.json to produce correct jwks?

P.S.

In case I use public key as local resource on the resource server - it works.
I'll be happy to any working solution (possible someone knows different jwks libraries that can be used in spring-boot application).

score 1 · Answer 1 · edited Oct 07 '21 at 07:27

Any update to this?

We are looking into signature based authentication, https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12,

One of the requirements will be to implement the /.well-known/jwks.json endpoint so we don't have to have a separate public key distribution mechanism.

I haven't yet done this but it looks like:

    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
    return JWKSet.load(keyStore, (name) -> null).toPublicJWKSet();