Token introspection faling #145

giovannicandido · 2023-09-02T05:44:16Z

giovannicandido
Sep 2, 2023

Hi I have a config on a resource server (only api) that works, I'm tring to get some claims like preferred_username which are not part of the access token.

My config is like the following:

# Security

iamUrl=https://xxx.xxx.com
scheme=https
origins=${scheme}://origin.xx.xx.xxx

server.ssl.enabled=false

# deals with single and multi-valued JWT claims
spring.jackson.deserialization.accept-single-value-as-array=true
#spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=${iamUrl}/oauth/v2/introspect
spring.security.oauth2.resourceserver.opaquetoken.client-id=client_id
spring.security.oauth2.resourceserver.opaquetoken.client-secret=client_secret


com.c4-soft.springaddons.oidc.ops[0].iss=${iamUrl}
com.c4-soft.springaddons.oidc.ops[0].username-claim=preferred_username
com.c4-soft.springaddons.oidc.ops[0].aud=aud
com.c4-soft.springaddons.oidc.ops[0].authorities[0].path=role_path
com.c4-soft.springaddons.oidc.resourceserver.cors[0].path=/**
com.c4-soft.springaddons.oidc.resourceserver.cors[0].allowed-origin-patterns=${origins}
com.c4-soft.springaddons.oidc.client.csrf=cookie_accessible_from_js

If I uncoment the line: #spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=${iamUrl}/oauth/v2/introspect
Then startup fails with:

Parameter 5 of method springAddonsJwtResourceServerSecurityFilterChain in com.c4_soft.springaddons.security.oidc.starter.synchronised.resourceserver.SpringAddonsOidcResourceServerBeans required a bean of type 'org.springframework.security.authentication.AuthenticationManagerResolver' that could not be found.

Is this a bug or do I misconfigure?

Version 7.1.5

Answered by ch4mpy

Sep 5, 2023

@giovannicandido I hadn't seen this, sorry for delay (only issues are auto assigned).

This is a bug. The condition for detecting if a servlet resource server should be auto-configured with introspection or JWT decoding was broken.

It is sad that the integration tests didn't detect that. For instance in webmvc-introspecting-default

A new 7.1.8 version was just released to publish a fix for auto-configuration. I will investigate further to also fix the tests so that it detects such issues.

By curiosity, why are you using introspection? Isn't the additional latency a show stopper for you (compared to JWT decoding)?

View full answer

ch4mpy · 2023-09-05T16:31:21Z

ch4mpy
Sep 5, 2023
Maintainer

@giovannicandido I hadn't seen this, sorry for delay (only issues are auto assigned).

This is a bug. The condition for detecting if a servlet resource server should be auto-configured with introspection or JWT decoding was broken.

It is sad that the integration tests didn't detect that. For instance in webmvc-introspecting-default

A new 7.1.8 version was just released to publish a fix for auto-configuration. I will investigate further to also fix the tests so that it detects such issues.

By curiosity, why are you using introspection? Isn't the additional latency a show stopper for you (compared to JWT decoding)?

0 replies

ch4mpy · 2023-09-08T03:18:41Z

ch4mpy
Sep 8, 2023
Maintainer

@giovannicandido I added sample application start and shutdown around Maven integration tests. This detects such bugs as the one you found.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Token introspection faling #145

{{title}}

Replies: 2 comments

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

Token introspection faling #145

giovannicandido Sep 2, 2023

Replies: 2 comments

ch4mpy Sep 5, 2023 Maintainer

ch4mpy Sep 8, 2023 Maintainer

giovannicandido
Sep 2, 2023

ch4mpy
Sep 5, 2023
Maintainer

ch4mpy
Sep 8, 2023
Maintainer