Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Use String equality, not URL equality, for JWT issuer validation

See original GitHub issue

Summary

URL equality is not consistent becuse it attempts DNS resolution and host comparison, which can cause both false positives and false negatives.

RFC 7519 describes “iss” claim as being a StringOrURI value, and restricts StringOrURI validation to string equality:

StringOrURI values are compared as case-sensitive strings with no transformations or canonicalizations applied.

JwtIssuerValidator should replace URL equality with plain case-sensitive string equality.

Actual Behavior

In a load balanced environment (GCP AppEngine Flexible) issuer verification behavior is inconsistent; it fails some of the time with exception below, even though the string issuer matches the required issuer perfectly.

BearerTokenAuthenticationFilter : Authentication request for failed: org.springframework.security.oauth2.core.OAuth2AuthenticationException: An error occurred while attempting to decode the Jwt: This iss claim is not equal to the configured issuer

Expected Behavior

Issuer check should succeed if and only if JWT string issuer matches expected string issuer.

Version

spring-security-oauth2-resource-server:jar:5.1.1.RELEASE

Sample

I can reproduce the problem consistently when deploying the following sample to GCP AppEngine Flexible. The first 30 or so times the application is accessed, OAuth2-based IAP authentication works great, but after that the load balancer kicks traffic over to a different subnet, and issuer verification starts failing consistently. https://github.com/spring-cloud/spring-cloud-gcp/tree/master/spring-cloud-gcp-samples/spring-cloud-gcp-security-iap-sample