






















When an application configures JWT decoding with NimbusJwtDecoder or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for example by calling setJwtValidator.
This is easy to miss when using NimbusJwtDecoder#withIssuerLocation or NimbusReactiveJwtDecoder#withIssuerLocation, which may be interpreted as adding issuer validation automatically.
Recent maintenance versions of NimbusJwtDecoder#withIssuerLocation and NimbusReactiveJwtDecoder#withIssuerLocation now add issuer validation by default.
Spring Security:
Users of affected versions should upgrade to the corresponding fixed version.
| Affected version(s) | Fix version | Availability |
|---|---|---|
| 6.3.x | 6.3.15 | Enterprise Support Only |
| 6.4.x | 6.4.15 | Enterprise Support Only |
| 6.5.x | 6.5.10 | OSS |
| 7.0.x | 7.0.5 | OSS |
Note that if this upgrade causes you trouble due to unwanted issuer validation, you can change it to the earlier default in the following way:
@Bean
JwtDecoder jwtDecoder() {
String issuer = "https://issuer.example.org";
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer)
// ... other configurations
.build();
jwtDecoder.setOAuth2TokenValidator(JwtValidators.createDefaults()); // set to the non-issuer default validator
return jwtDecoder;
}
The issue was identified and responsibly reported by Daniel Seiler.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。