Skip to content

NimbusJwtEncoder should simplify constructing with javax.security Keys #17033

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jun 17, 2025

Conversation

surajbh123
Copy link
Contributor

No description provided.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 2, 2025
@surajbh123 surajbh123 force-pushed the nimbus-ecoder-builder branch 2 times, most recently from 6e3841d to abddfb3 Compare May 2, 2025 20:54
@surajbh123
Copy link
Contributor Author

surajbh123 commented May 3, 2025

Working on test cases and code refactoring

@surajbh123 surajbh123 force-pushed the nimbus-ecoder-builder branch 2 times, most recently from 78ef577 to 6370999 Compare May 4, 2025 18:43
@surajbh123
Copy link
Contributor Author

Helper Methods for Key Generation

        // 1. Using SecretKey with defaults
        SecretKey defaultSecretKey = createSecretKey("HmacSHA256", 256); // Key for default HS256
        NimbusJwtEncoder encoderWithSecretDefaults = NimbusJwtEncoder.withSecretKey(defaultSecretKey)
                // .macAlgorithm(MacAlgorithm.HS256) // Default is HS256
                // .keyId(null)                     // Default keyId is null
                // .jwkSelector(...)               // Default selector throws if multiple keys match
                .build();
                
        // 2. Using SecretKey with specific algorithm and keyId
        SecretKey hs512SecretKey = createSecretKey("HmacSHA512", 512);
        String secretKeyId = "my-hmac-key-01";
        NimbusJwtEncoder encoderWithSecretCustom = NimbusJwtEncoder.withSecretKey(hs512SecretKey)
                .macAlgorithm(MacAlgorithm.HS512) // Specify HS512
                .keyId(secretKeyId)               // Specify a key ID
                .build();

        // 3. Using RSA KeyPair with defaults
        KeyPair rsaKeyPair = createRsaKeyPair(2048);
        NimbusJwtEncoder encoderWithRsaDefaults = NimbusJwtEncoder.withKeyPair(rsaKeyPair)
                // .signatureAlgorithm(SignatureAlgorithm.RS256) // Default for RSA is RS256
                // .keyId(UUID generated)                      // Default keyId is a random UUID
                // .jwkSelector(...)                          // Default selector picks first if multiple
                .build();
                
        // 4. Using RSA KeyPair with specific algorithm (PSS) and keyId
        String rsaKeyId = "my-rsa-key-01";
        NimbusJwtEncoder encoderWithRsaCustom = NimbusJwtEncoder.withKeyPair(rsaKeyPair)
                .signatureAlgorithm(SignatureAlgorithm.PS256) // Specify PS256
                .keyId(rsaKeyId)                              // Specify a key ID
                .build();

        // 5. Using EC KeyPair with defaults
        KeyPair ecP256KeyPair = createEcKeyPair(Curve.P_256); // Key for default ES256
        NimbusJwtEncoder encoderWithEcDefaults = NimbusJwtEncoder.withKeyPair(ecP256KeyPair)
                // .signatureAlgorithm(SignatureAlgorithm.ES256) // Default for EC is ES256
                // .keyId(UUID generated)                      // Default keyId is a random UUID
                // .jwkSelector(...)                          // Default selector picks first if multiple
                .build();

        // 6. Using EC KeyPair with specific algorithm and keyId
        KeyPair ecP521KeyPair = createEcKeyPair(Curve.P_521); // Key for ES512
        String ecKeyId = "my-ec-key-01";
        NimbusJwtEncoder encoderWithEcCustom = NimbusJwtEncoder.withKeyPair(ecP521KeyPair)
                .signatureAlgorithm(SignatureAlgorithm.ES512) // Specify ES512
                .keyId(ecKeyId)                               // Specify a key ID
                .build();

@jzheaux jzheaux added this to the 7.0.x milestone May 6, 2025
@jzheaux jzheaux added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels May 6, 2025
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @surajbh123! This PR will make using NimbusJwtEncoder much simpler.

I've left my feedback inline. In addition to that, please ensure that your commit only has the signoff in the description and not in the title. Please also ensure that the description has the issue that this PR resolves:

Add NimbusJwtEncoder Builders

Closes gh-16267

Signed-off-by ...

@jzheaux
Copy link
Contributor

jzheaux commented May 7, 2025

Just one more thing, @surajbh123, when you submit, it will save you time in the review process if you run the following before submitting:

./gradlew format && ./gradlew :spring-security-oauth2-jose:check

@jzheaux jzheaux self-assigned this May 7, 2025
@surajbh123 surajbh123 force-pushed the nimbus-ecoder-builder branch from 6370999 to 567e729 Compare May 8, 2025 20:14
@surajbh123
Copy link
Contributor Author

surajbh123 commented May 8, 2025

Working on reviews comments
Not all resolved yet

@surajbh123 surajbh123 force-pushed the nimbus-ecoder-builder branch 4 times, most recently from d6154cb to 52ef97d Compare May 9, 2025 15:52
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick turnaround, @surajbh123! This is coming together nicely. I've added some additional inline feedback.

@surajbh123 surajbh123 force-pushed the nimbus-ecoder-builder branch 2 times, most recently from 2d1e2c6 to 24300cb Compare May 13, 2025 19:50
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, @surajbh123, thanks for the updates and for your feedback.

Given some of the confusion I caused with some of my feedback, I wanted to take some more time with the PR before replying. You'll see that there are many more comments now with more specifics about what and why; hopefully that's clearer this time around.

To help with processing the comments, I also added a commit to my fork for you to review which applies my comments. I feel these changes make the builder classes easier to use and more maintainable by our team. You are welcome to review this commit to get a holistic view of the changes I'm proposing:

jzheaux@7e1847d

@surajbh123 surajbh123 force-pushed the nimbus-ecoder-builder branch from 24300cb to 263cf2f Compare May 24, 2025 11:55
@jzheaux jzheaux added the status: waiting-for-feedback We need additional information before we can continue label May 27, 2025
@surajbh123 surajbh123 force-pushed the nimbus-ecoder-builder branch from 263cf2f to 27545c2 Compare May 29, 2025 16:44
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-feedback We need additional information before we can continue labels May 29, 2025
@surajbh123 surajbh123 force-pushed the nimbus-ecoder-builder branch 2 times, most recently from c6a6677 to 868539d Compare June 5, 2025 15:26
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @surajbh123, I've left a piece of feedback inline that I believe will address your other concerns about how the JWS header is handled. If you haven't already, please see my sample commit in the following places for additional illustration:

  1. Remove setJwsHeader: jzheaux@7e1847d#diff-953f5c25f37accc56c99cbf372fde82b81359bdd56f85f8bf032226829c9cf36R68-L136
  2. Ensure jwsHeader is non-null in constructor: jzheaux@7e1847d#diff-953f5c25f37accc56c99cbf372fde82b81359bdd56f85f8bf032226829c9cf36R135
  3. Call new private JWK constructor: jzheaux@7e1847d#diff-953f5c25f37accc56c99cbf372fde82b81359bdd56f85f8bf032226829c9cf36R494

@surajbh123 surajbh123 force-pushed the nimbus-ecoder-builder branch 3 times, most recently from f3a62d8 to c42d241 Compare June 14, 2025 05:57
@jzheaux jzheaux removed the status: waiting-for-feedback We need additional information before we can continue label Jun 16, 2025
@jzheaux jzheaux modified the milestones: 7.0.x, 7.0.0-M1 Jun 17, 2025
@jzheaux jzheaux force-pushed the nimbus-ecoder-builder branch 2 times, most recently from 517d9a4 to 01edd3b Compare June 17, 2025 21:55
- Simplify withKeyPair methods to match withPublicKey convention
in NimbusJwtDecoder
- Update tests to confirm support of other algorithms
- Update constructor to apply additional JWK properties
to the default header
- Deduce the possibly algorithms for a given key based
on curve and key size
- Remove algorithm method from EC builder since the
algorithm is determined by the Curve of the EC Key

Issue spring-projectsgh-16267

Co-Authored-By: Suraj Bhadrike <[email protected]>
@jzheaux jzheaux force-pushed the nimbus-ecoder-builder branch from 01edd3b to 9410052 Compare June 17, 2025 22:01
@jzheaux jzheaux merged commit 676b44e into spring-projects:main Jun 17, 2025
6 checks passed
@jzheaux
Copy link
Contributor

jzheaux commented Jun 17, 2025

Thanks for your consistent effort on this PR, @surajbh123! It's now be merged into main.

@surajbh123 surajbh123 deleted the nimbus-ecoder-builder branch June 18, 2025 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants