Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring security oauth2 fails issuer validation after 30 seconds

Tags:

java

oauth-2.0

spring-security

azure-active-directory

spring-webflux

In a reactive spring webflux service, I have the endpoints configured to be protected by OAuth2 resource server. When I first launch the server, it validates the Bearer tokens properly but after about 30 seconds, the exact same requests begin failing with the following error:

error="invalid_token"
error_description="This iss claim is not equal to the configured issuer"
error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"

I've verified that the token is valid and that the iss claim appears to be the same as what is configured in spring.security.oauth2.resourceserver.jwt.issuer-uri. If this wasn't configured properly, then I would be getting no valid requests.

Upon closer inspection, I've found that the error stems from the URL comparison of the iss claim and the expected URL in that the InetAddress.getAddress() match for the first 30 seconds, but then do not match. This is using an Azure AD provider endpoint https://sts.windows.net/{{tenantId}}/ and I've verified that the URL strings match, just not the internal addresses. What might be causing this and how can I validate tokens with valid issuers after the initial 30 seconds? Thanks.

For reference, here is my SecurityWebFilterChain:

@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
    return http
            .csrf().disable()
            .authorizeExchange().anyExchange().authenticated()
            .and().oauth2ResourceServer().jwt().and()
            .and().build();
}

Gradle implementations included:

org.springframework.boot:spring-boot-starter-security:2.1.0.RC1
org.springframework.boot:spring-boot-starter-webflux:2.1.0.RC1
org.springframework.security:spring-security-oauth2-resource-server:5.1.1.RELEASE
org.springframework.security:spring-security-oauth2-jose:5.1.1.RELEASE
like image 876
jeffaudio Avatar asked Mar 06 '23 04:03

jeffaudio

1 Answers

Looks like this was entered as issue #6073 in spring-security and was resolved in c70b65c. It's currently slated to be resolved in 5.1.2.RELEASE or 5.2.0.M1.

The solution committed changed the URL to a String which allowed for the equality check to be more reliable in addition to removing the blocking DNS lookup call.

like image 55
jeffaudio Avatar answered Apr 06 '23 20:04

jeffaudio
Sign in to Comment

Related questions

how to create multiple objects through loops in java
using this keyword with synchronized block in java
Read a table from a SAP system using JCo
Calling stored procedures from Java
Stream over a list from Optional
EnumSet.spliterator without characteristic Spliterator.NONNULL
What is the point of using user defined Scanner class to read data in Java?
Update to Safari 12.0 - Java Plug-in no longer listed
How to add SetOnClicklistener on recyclerview
Selenium: how to click on javascript button
Use application.properties value in interface annotation
Spring Reactive - reuse Mono value
How to receive a Json array ("result") with retrofit2
Data structure that supports efficient kick-out policy based on recently accessed items
Functions min(), max() or sum() with jsonpath
java.time.zone.ZoneRulesProvider for Microsoft time-zones
How to use filter in Java 8 to ignore values from an int array and to collection
How To upload Images/Files to Firebase storage in Java?
How to test a ConsumerAwareRebalanceListener?
Join 2 maps Java 8 using streams

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!