Skip to content

Inconsistent configuration of jwk-set-uri and issuer-uri #50753

Description

@CompartMJU

If the property spring.security.oauth2.resourceserver.jwt.issuer-uri is set to a value, and the property spring.security.oauth2.resourceserver.jwt.jwk-set-uri is set to an empty string, then application startup fails with the following message:

Description:
Parameter 0 of method setFilterChains in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration required a single bean, but 2 were found:

  • jwtDecoderByJwkKeySetUri: defined by method 'jwtDecoderByJwkKeySetUri' in class path resource [org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.class]
  • jwtDecoderByIssuerUri: defined by method 'jwtDecoderByIssuerUri' in class path resource [org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.class]

In

the jwtDecoderByJwkKeySetUri is activated if the jwk-set-uri property is present (no empty string check)
In https://github.com/spring-projects/spring-boot/blob/main/module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/IssuerUriCondition.java#L33, the jwtDecoderByIssuerUri is activated if the issuer-uri is set and the jwk-set-uri is empty or null.

Propably the first check should be updated to also check for empty string.

Use case that led to the issue:
After a migration, we mapped a previous property for the jwk-set-uri to the default spring value, for backwards compatibility, by setting the following in an internal properties file:

spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${deprecated.jwk-set-uri:}

This leads to the above issue, when we set the the issuer-uri property as well and don't provide a value for the old jwk-set-uri property (e.g. as environment variable in a container, where it is not feasible to override properties files to e.g. remove the jwk-set-uri completely.)

Alternatively, we tried to set the fallback to null instead:

spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${deprecated.jwk-set-uri:null}

Along with a PropertySourcesPlaceholderConfigurer:

    @Bean
    public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
        PropertySourcesPlaceholderConfigurer configurer = new PropertySourcesPlaceholderConfigurer();
        configurer.setNullValue("null");
        return configurer;
    }

The placeholder works for other properties, but for the jwk-set-uri, if we pass a null fallback value, then the autoconfiguration sees a "null" string value instead of null, so the jwtDecoderByJwkKeySetUri is enabled, but obviously fails when accessing the jwks from URL "null".

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: supersededAn issue that has been superseded by another

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions