If the property spring.security.oauth2.resourceserver.jwt.issuer-uri is set to a value, and the property spring.security.oauth2.resourceserver.jwt.jwk-set-uri is set to an empty string, then application startup fails with the following message:
Description:
Parameter 0 of method setFilterChains in org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration required a single bean, but 2 were found:
- jwtDecoderByJwkKeySetUri: defined by method 'jwtDecoderByJwkKeySetUri' in class path resource [org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.class]
- jwtDecoderByIssuerUri: defined by method 'jwtDecoderByIssuerUri' in class path resource [org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration$JwtDecoderConfiguration.class]
In
|
JwtDecoder jwtDecoderByJwkKeySetUri() { |
the
jwtDecoderByJwkKeySetUri is activated if the
jwk-set-uri property is present (no empty string check)
In
https://github.com/spring-projects/spring-boot/blob/main/module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/IssuerUriCondition.java#L33, the
jwtDecoderByIssuerUri is activated if the
issuer-uri is set and the
jwk-set-uri is empty or null.
Propably the first check should be updated to also check for empty string.
Use case that led to the issue:
After a migration, we mapped a previous property for the jwk-set-uri to the default spring value, for backwards compatibility, by setting the following in an internal properties file:
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${deprecated.jwk-set-uri:}
This leads to the above issue, when we set the the issuer-uri property as well and don't provide a value for the old jwk-set-uri property (e.g. as environment variable in a container, where it is not feasible to override properties files to e.g. remove the jwk-set-uri completely.)
Alternatively, we tried to set the fallback to null instead:
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${deprecated.jwk-set-uri:null}
Along with a PropertySourcesPlaceholderConfigurer:
@Bean
public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer() {
PropertySourcesPlaceholderConfigurer configurer = new PropertySourcesPlaceholderConfigurer();
configurer.setNullValue("null");
return configurer;
}
The placeholder works for other properties, but for the jwk-set-uri, if we pass a null fallback value, then the autoconfiguration sees a "null" string value instead of null, so the jwtDecoderByJwkKeySetUri is enabled, but obviously fails when accessing the jwks from URL "null".
If the property
spring.security.oauth2.resourceserver.jwt.issuer-uriis set to a value, and the propertyspring.security.oauth2.resourceserver.jwt.jwk-set-uriis set to an empty string, then application startup fails with the following message:In
spring-boot/module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/JwtDecoderConfiguration.java
Line 119 in 8ccf2e9
jwtDecoderByJwkKeySetUriis activated if thejwk-set-uriproperty is present (no empty string check)In https://github.com/spring-projects/spring-boot/blob/main/module/spring-boot-security-oauth2-resource-server/src/main/java/org/springframework/boot/security/oauth2/server/resource/autoconfigure/IssuerUriCondition.java#L33, the
jwtDecoderByIssuerUriis activated if theissuer-uriis set and thejwk-set-uriis empty or null.Propably the first check should be updated to also check for empty string.
Use case that led to the issue:
After a migration, we mapped a previous property for the
jwk-set-urito the default spring value, for backwards compatibility, by setting the following in an internal properties file:This leads to the above issue, when we set the the
issuer-uriproperty as well and don't provide a value for the oldjwk-set-uriproperty (e.g. as environment variable in a container, where it is not feasible to override properties files to e.g. remove thejwk-set-uricompletely.)Alternatively, we tried to set the fallback to null instead:
Along with a
PropertySourcesPlaceholderConfigurer:The placeholder works for other properties, but for the
jwk-set-uri, if we pass anullfallback value, then the autoconfiguration sees a"null"string value instead ofnull, so thejwtDecoderByJwkKeySetUriis enabled, but obviously fails when accessing the jwks from URL"null".