0

I'm using Spring Security 6 using Nimbus token. Here is my security configuration ..

@Bean
public JwtDecoder jwtDecoder() {
    return NimbusJwtDecoder.withPublicKey( jwtConfigProperties.getPublicKey()).build();
} 

@Bean 
public JwtEncoder jwtEncoder(){ 
    JWK jwk = new RSAKey.Builder( jwtConfigProperties.getPublicKey()).privateKey(jwtConfigProperties.getPrivateKey()).build(); 
    JWKSource<SecurityContext> jwks = new ImmutableJWKSet<>(new JWKSet(jwk));
    return new NimbusJwtEncoder(jwks);
}

Here's my jwt configuration properties for RSA public and private key..

public class RsaKeyProperties {

    private RSAPrivateKey privateKey;
    
    private RSAPublicKey publicKey;
    
    @Autowired
    KeyGeneratorUtility keygen;

    @PostConstruct
    public void init() {
        KeyPair keyPair = keygen.generateKey();
        
        this.privateKey = (RSAPrivateKey) keyPair.getPrivate();
        System.out.println("rsa private key : "+privateKey);
        this.publicKey = (RSAPublicKey) keyPair.getPublic();
        System.out.println("rsa public key : "+publicKey);
    }
}

And here's to generate RSA public and private key programmatically.

public class KeyGeneratorUtility {
    
    public KeyPair generateKey() {
        
        KeyPair keyPair;

        try{
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            keyPair = keyPairGenerator.generateKeyPair();
        } catch(Exception e){
            throw new IllegalStateException();
        }

        return keyPair;
    }
}

And here is to generate token programmatically.

public String generateToken(ProductUser produser) {
        Instant now = Instant.now();
        String scope = produser.getAuthorities().stream().map(GrantedAuthority::getAuthority).collect(Collectors.joining(" "));
        
        JwtClaimsSet claims = JwtClaimsSet.builder()
                .issuer("self")
                .issuedAt(now)
                .expiresAt(now.plus(1, ChronoUnit.HOURS))
                .subject(produser.getUsername())
                .claim("scope", scope)
                .build();
        
        return this.encoder.encode(JwtEncoderParameters.from(claims)).getTokenValue();
    }

This is an auto-generated token after hitting API from postman with status 200 OK

eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJzZWxmIiwic3ViIjoic2F5YW50YW51c2VyIiwiZXhwIjoxNjkyNzY1MTU5LCJpYXQiOjE2OTI3NjE1NTksInNjb3BlIjoidXNlcjpjcmVhdGUgdXNlcjpkZWxldGUgdXNlcjp1cGRhdGUgdXNlcjpyZWFkIFJPTEVfVVNFUiJ9.LtLP0YcniqgKbhqMkTOWtBMqGLKP1nk5xKWZhELmsISCFTPmMbCVCAPikJqz9psW3QjoMWgbOoia3_saohrbPI1EfTIYb_P0K5bh3eD2StIK0B4ywf39-ENvzE9Zt9GuRTWHQ7tk1cBJv9YhqZxDzmFbZdPDBB1ZWYXGLxBhKec8vVlidGA0UqPKNiZhSFoop3mjmzu2N4kah7WZ__q20ccFeS52icKXyw8kpFbxiasouWRLPjy75nwgcYhXASKfs5TSYPyzppCTE1cqQ3CzVOv21xpzK6QjD9hnTz8aqrsz8mFTFxd0VRqenwLx1s9SiHldfG0DK_umd9w_83muoQ

But after pasting this token with JWT.io it is showing invalid signature enter image description here

An idea what am I doing wrong? Is my approach incorrect? Please help me out.

Sayantan Chatterjee
  • 45
  • 1
  • 3
  • 10
  • why are you even generating a token in your application, and not letting a proper authorization server/issuer generate tokens for you – Toerktumlare Aug 23 '23 at 09:08
  • I just want to create a token programmatically without using openssl tool with issuer by myself. – Sayantan Chatterjee Aug 23 '23 at 09:14
  • 1
    You did not paste the public key into the public key field on jwt.io (righ column under VERIFY SIGNATURE). Without knowing the public key, the signature can't be verified. – jps Aug 23 '23 at 09:39
  • I'll try that. thnx for help. – Sayantan Chatterjee Aug 23 '23 at 10:12
  • Just so you know, creating tokens and giving them out to browsers is very dangerous. – Toerktumlare Aug 23 '23 at 12:02
  • AFAIK @Toerktumlare, Authorization Server also generates self-signed token and send it to its client. – Sayantan Chatterjee Aug 23 '23 at 12:44
  • 1
    no they dont, the implicit oauth2 flow is deprecated and is not used anymore, and still OWASPs best practices are still and has always been to not supply browsers with tokens directly, Open ID connect supplyes tokens in cookies with the httpOnly flag set. Just because a lot of people do give out JWTs to browsers does not mean that they are doing something secure. Why do you think there are a lot of insecure applications out there? https://www.youtube.com/watch?v=JdGOb7AxUo0 – Toerktumlare Aug 23 '23 at 13:43
  • hmm.. thanx for your info. I'll check that out. And also https://stackoverflow.com/questions/59273338/what-is-the-replacement-for-the-deprecated-authorizationserver-in-spring-securit – Sayantan Chatterjee Aug 23 '23 at 14:17
  • May be it is still there .. https://docs.spring.io/spring-authorization-server/docs/current/reference/html/overview.html#feature-list – Sayantan Chatterjee Aug 23 '23 at 15:23

0 Answers0