I have simple VueJS application which similar to this one samples-js-vue/okta-hosted-login at master · okta/samples-js-vue · GitHub. Everything is working correctly in frontend meaning I can login and everything. However, when I send JWT token Spring backend I am getting this error.
2024-02-14T12:11:30.360-05:00 DEBUG 77052 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Securing GET /api/posts
2024-02-14T12:11:30.361-05:00 DEBUG 77052 --- [nio-8080-exec-3] o.s.web.client.RestTemplate : HTTP GET https://dev-xxxxxxx.okta.com/oauth2/default/v1/keys
2024-02-14T12:11:30.361-05:00 DEBUG 77052 --- [nio-8080-exec-3] o.s.web.client.RestTemplate : Accept=[text/plain, application/json, application/*+json, */*]
2024-02-14T12:11:30.826-05:00 DEBUG 77052 --- [nio-8080-exec-3] o.s.web.client.RestTemplate : Response 200 OK
2024-02-14T12:11:30.827-05:00 DEBUG 77052 --- [nio-8080-exec-3] o.s.web.client.RestTemplate : Reading to [java.lang.String] as "application/json"
2024-02-14T12:11:30.830-05:00 DEBUG 77052 --- [nio-8080-exec-3] o.s.s.o.s.r.a.JwtAuthenticationProvider : Failed to authenticate since the JWT was invalid
In browser console I am getting this
Www-Authenticate:
Bearer error="invalid_token", error_description="An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found", error_uri="https://tools.ietf.org/html/rfc6750#section-3.1"
I am using Spring Boot 3.2.2 using following properties.
spring.security.oauth2.resourceserver.jwt.issuer-uri=${AUTHORIZATION_URI:https://dev-xxxxxx.okta.com/oauth2/default}
spring.security.oauth2.resourceserver.opaquetoken.client-id=${CLIENT_ID:xxxxxxx}
spring.security.oauth2.resourceserver.jwt.jws-algorithms=RS256
This is my Spring configuration
@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfiguration {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.httpBasic((AbstractHttpConfigurer::disable))
.formLogin((AbstractHttpConfigurer::disable))
.logout((AbstractHttpConfigurer::disable))
.sessionManagement((session) -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests((httpRequestCustomizer) ->
httpRequestCustomizer.requestMatchers(HttpMethod.OPTIONS).permitAll().anyRequest().authenticated()
)
.cors(Customizer.withDefaults())
.exceptionHandling(
it -> {
it.authenticationEntryPoint((request, response, e) -> response.setStatus(HttpStatus.UNAUTHORIZED.value()));
it.accessDeniedHandler((request, response, e) -> response.setStatus(HttpStatus.FORBIDDEN.value()));
}
)
.oauth2ResourceServer((oauth2ResourceServer) -> oauth2ResourceServer.jwt(Customizer.withDefaults()))
.build();
}
}
and my CORS configuration is following.
@Configuration
public class CorsConfiguration implements WebMvcConfigurer {
private final ApplicationProperties applicationProperties;
@Autowired
public CorsConfiguration(ApplicationProperties applicationProperties) {
this.applicationProperties = applicationProperties;
}
@Override
public void addCorsMappings(CorsRegistry registry) {
var allowedSources = this.applicationProperties.getAllowedSource();
if (allowedSources != null && !allowedSources.trim().isEmpty()) {
registry
.addMapping("/**")
.allowedOriginPatterns(allowedSources.split(","))
.allowCredentials(true)
.allowedHeaders(org.springframework.web.cors.CorsConfiguration.ALL)
.allowedMethods(org.springframework.web.cors.CorsConfiguration.ALL);
}
}
}
I also did token validation using https://jwt.io/ and it is giving me Invalid Signature. We are really stuck with this issue. We have similar app in using older version of Spring and Vue and it is working correctly.