-
Notifications
You must be signed in to change notification settings - Fork 6.1k
NimbusJwtEncoder should simplify constructing with javax.security Keys #17033
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
6e3841d
to
abddfb3
Compare
Working on test cases and code refactoring |
78ef577
to
6370999
Compare
Helper Methods for Key Generation // 1. Using SecretKey with defaults
SecretKey defaultSecretKey = createSecretKey("HmacSHA256", 256); // Key for default HS256
NimbusJwtEncoder encoderWithSecretDefaults = NimbusJwtEncoder.withSecretKey(defaultSecretKey)
// .macAlgorithm(MacAlgorithm.HS256) // Default is HS256
// .keyId(null) // Default keyId is null
// .jwkSelector(...) // Default selector throws if multiple keys match
.build();
// 2. Using SecretKey with specific algorithm and keyId
SecretKey hs512SecretKey = createSecretKey("HmacSHA512", 512);
String secretKeyId = "my-hmac-key-01";
NimbusJwtEncoder encoderWithSecretCustom = NimbusJwtEncoder.withSecretKey(hs512SecretKey)
.macAlgorithm(MacAlgorithm.HS512) // Specify HS512
.keyId(secretKeyId) // Specify a key ID
.build();
// 3. Using RSA KeyPair with defaults
KeyPair rsaKeyPair = createRsaKeyPair(2048);
NimbusJwtEncoder encoderWithRsaDefaults = NimbusJwtEncoder.withKeyPair(rsaKeyPair)
// .signatureAlgorithm(SignatureAlgorithm.RS256) // Default for RSA is RS256
// .keyId(UUID generated) // Default keyId is a random UUID
// .jwkSelector(...) // Default selector picks first if multiple
.build();
// 4. Using RSA KeyPair with specific algorithm (PSS) and keyId
String rsaKeyId = "my-rsa-key-01";
NimbusJwtEncoder encoderWithRsaCustom = NimbusJwtEncoder.withKeyPair(rsaKeyPair)
.signatureAlgorithm(SignatureAlgorithm.PS256) // Specify PS256
.keyId(rsaKeyId) // Specify a key ID
.build();
// 5. Using EC KeyPair with defaults
KeyPair ecP256KeyPair = createEcKeyPair(Curve.P_256); // Key for default ES256
NimbusJwtEncoder encoderWithEcDefaults = NimbusJwtEncoder.withKeyPair(ecP256KeyPair)
// .signatureAlgorithm(SignatureAlgorithm.ES256) // Default for EC is ES256
// .keyId(UUID generated) // Default keyId is a random UUID
// .jwkSelector(...) // Default selector picks first if multiple
.build();
// 6. Using EC KeyPair with specific algorithm and keyId
KeyPair ecP521KeyPair = createEcKeyPair(Curve.P_521); // Key for ES512
String ecKeyId = "my-ec-key-01";
NimbusJwtEncoder encoderWithEcCustom = NimbusJwtEncoder.withKeyPair(ecP521KeyPair)
.signatureAlgorithm(SignatureAlgorithm.ES512) // Specify ES512
.keyId(ecKeyId) // Specify a key ID
.build(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @surajbh123! This PR will make using NimbusJwtEncoder
much simpler.
I've left my feedback inline. In addition to that, please ensure that your commit only has the signoff in the description and not in the title. Please also ensure that the description has the issue that this PR resolves:
Add NimbusJwtEncoder Builders
Closes gh-16267
Signed-off-by ...
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
Just one more thing, @surajbh123, when you submit, it will save you time in the review process if you run the following before submitting:
|
6370999
to
567e729
Compare
Working on reviews comments |
bb6d143
to
d6154cb
Compare
Closes spring-projectsgh-16267 Signed-off-by: Suraj Bhadrike <[email protected]>
d6154cb
to
52ef97d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the quick turnaround, @surajbh123! This is coming together nicely. I've added some additional inline feedback.
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
* with a {@link SecretKey}. | ||
*/ | ||
public NimbusJwtEncoder build() { | ||
this.jwsAlgorithm = (this.jwsAlgorithm != null) ? this.jwsAlgorithm : JWSAlgorithm.HS256; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since you are giving this a default value and there isn't a way for the application to set it back to null
, I believe you can remove this line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the following case, it may be null.
SecretKey defaultSecretKey = createSecretKey("HmacSHA256", 256); // Key for default HS256
NimbusJwtEncoder encoderWithSecretDefaults = NimbusJwtEncoder.withSecretKey(defaultSecretKey)
// .macAlgorithm(MacAlgorithm.HS256) // Default is HS256
// .keyId(null) // Default keyId is null
// .jwkSelector(...) // Default selector throws if multiple keys match
.build();
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please take a look at my suggestions for the constructor so that this value need not be checked in this way.
By setting reasonable defaults in the constructor, readying the JWK
is as simple as:
OctetSequenceKey jwk = this.builder.build()
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
2d1e2c6
to
24300cb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, @surajbh123, thanks for the updates and for your feedback.
Given some of the confusion I caused with some of my feedback, I wanted to take some more time with the PR before replying. You'll see that there are many more comments now with more specifics about what and why; hopefully that's clearer this time around.
To help with processing the comments, I also added a commit to my fork for you to review which applies my comments. I feel these changes make the builder classes easier to use and more maintainable by our team. You are welcome to review this commit to get a holistic view of the changes I'm proposing:
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
* with a {@link SecretKey}. | ||
*/ | ||
public NimbusJwtEncoder build() { | ||
this.jwsAlgorithm = (this.jwsAlgorithm != null) ? this.jwsAlgorithm : JWSAlgorithm.HS256; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please take a look at my suggestions for the constructor so that this value need not be checked in this way.
By setting reasonable defaults in the constructor, readying the JWK
is as simple as:
OctetSequenceKey jwk = this.builder.build()
if (headers == null) { | ||
headers = DEFAULT_JWS_HEADER; | ||
} | ||
headers = (headers != null) ? headers : (this.jwsHeader != null) ? this.jwsHeader : DEFAULT_JWS_HEADER; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of checking for this.jwsHeader
being non-null, please ensure that it is not null as part of the construction process. Then you can change this to:
headers = (headers != null) ? headers : this.jwsHeader;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We cant do it as it will break older flows which are not using builders
so this.jwsHeader
will be null
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
...oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoderTests.java
Outdated
Show resolved
Hide resolved
...oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoderTests.java
Outdated
Show resolved
Hide resolved
KeyPair keyPair = keyPairGenerator.generateKeyPair(); | ||
NimbusJwtEncoder encoder = NimbusJwtEncoder.withKeyPair(keyPair) | ||
.keyId(UUID.randomUUID().toString()) | ||
.signatureAlgorithm(SignatureAlgorithm.ES256) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since EC defaults to ES256
, I think this should be a different algorithm, given the test name.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Supported algorithms: oct [HS256]
Supported algorithms: EC [ES256]
Supported algorithms: RSA [RS256, RS384, RS512, PS256, PS384, PS512]
@jzheaux can we remove validation and let NimbusJwt do it
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
24300cb
to
263cf2f
Compare
263cf2f
to
27545c2
Compare
769f4c4
to
c6a6677
Compare
c6a6677
to
868539d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @surajbh123, I've left a piece of feedback inline that I believe will address your other concerns about how the JWS header is handled. If you haven't already, please see my sample commit in the following places for additional illustration:
- Remove
setJwsHeader
: jzheaux@7e1847d#diff-953f5c25f37accc56c99cbf372fde82b81359bdd56f85f8bf032226829c9cf36R68-L136 - Ensure
jwsHeader
is non-null in constructor: jzheaux@7e1847d#diff-953f5c25f37accc56c99cbf372fde82b81359bdd56f85f8bf032226829c9cf36R135 - Call new private
JWK
constructor: jzheaux@7e1847d#diff-953f5c25f37accc56c99cbf372fde82b81359bdd56f85f8bf032226829c9cf36R494
@@ -119,14 +133,17 @@ public void setJwkSelector(Converter<List<JWK>, JWK> jwkSelector) { | |||
this.jwkSelector = jwkSelector; | |||
} | |||
|
|||
public void setDefaultJwsHeader(JwsHeader defaultJwsHeader) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove this method. The default header can be derived in the constructor.
No description provided.