Validate AccessToken and id Token for Spring-OIDC

HI,
I am trying to implement OIDC with Spring Boot 2.0.
Functionality is working fine and I am able to get the access token and id_token. Now i want to verify/validate the tokens on the client side. I see for the id_token, the way to verify was checking the issuer and audience…
I need some guidance on how/what way i need to follow on validating the access token.

any guidance is helpful.

thanks

Did you use one of our guides or blog posts to help you implement OIDC with Spring Boot? The reason I ask is because if you’re using Spring Boot’s @EnableOAuth2Sso, you don’t need to do token validation, Spring Security does it for you.

yup…I have implemented the OIDC with Spring Boot using YOUR guide/sample app…
Does we need to have @EnableOAuth2Sso annotation when we are using Spring Security 5.0 …?.. (this might be silly to ask), but I thought spring boot will take care of this…
when i add the @EnableOAuth2Sso on the Security Config method, my app is failing to load… when i removed the annotation, its working…
any guess…?

It depends on if you’re using Spring Security’s OAuth or its OIDC support. Get Started with Spring Security 5.0 and OIDC shows how to use OIDC, while Build a Basic CRUD App with Angular 5.0 and Spring Boot 2.0 shows how to setup a Resource Server. You could also use @EnableOAuth2Sso if you configure the dependencies like in the 2nd one. This is what we do in JHipster.

I am following the guide from the below okta git url, for validating the tokens.


when i am doing the validation, its failing saying com.okta.jwt.JoseException: Failed to validate JWT string

any guesses on this issue…?

If you’ve already configured Spring’s OIDC or OAuth support, you won’t need to do JWT validation. That’s built-in. What are you trying to accomplish?

i am using spring boot 2.0 and I havent aware of spring doing jwt validation for us. I thought we need to validate the id token on the client side…
as a side note, what is the use of okta jwt verifier…?, means we wont need it for spring boot 2.0 right…? just wanted to know…
thanks for helping me out @mraible

The Java JWT Verifier can be useful if you’re not using Spring Boot. For example, you want to do verification in a servlet filter.

If you’re using Spring Boot with Spring Security, you should be able to get the user from the usual means (e.g., java.security.Principal, or the SecurityContextHolder).

gotcha…thanks for clarifying it @mraible :slight_smile: