-
Notifications
You must be signed in to change notification settings - Fork 6.1k
NimbusJwtEncoder should simplify constructing with javax.security Keys #17033
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NimbusJwtEncoder should simplify constructing with javax.security Keys #17033
Conversation
6e3841d
to
abddfb3
Compare
Working on test cases and code refactoring |
78ef577
to
6370999
Compare
Helper Methods for Key Generation // 1. Using SecretKey with defaults
SecretKey defaultSecretKey = createSecretKey("HmacSHA256", 256); // Key for default HS256
NimbusJwtEncoder encoderWithSecretDefaults = NimbusJwtEncoder.withSecretKey(defaultSecretKey)
// .macAlgorithm(MacAlgorithm.HS256) // Default is HS256
// .keyId(null) // Default keyId is null
// .jwkSelector(...) // Default selector throws if multiple keys match
.build();
// 2. Using SecretKey with specific algorithm and keyId
SecretKey hs512SecretKey = createSecretKey("HmacSHA512", 512);
String secretKeyId = "my-hmac-key-01";
NimbusJwtEncoder encoderWithSecretCustom = NimbusJwtEncoder.withSecretKey(hs512SecretKey)
.macAlgorithm(MacAlgorithm.HS512) // Specify HS512
.keyId(secretKeyId) // Specify a key ID
.build();
// 3. Using RSA KeyPair with defaults
KeyPair rsaKeyPair = createRsaKeyPair(2048);
NimbusJwtEncoder encoderWithRsaDefaults = NimbusJwtEncoder.withKeyPair(rsaKeyPair)
// .signatureAlgorithm(SignatureAlgorithm.RS256) // Default for RSA is RS256
// .keyId(UUID generated) // Default keyId is a random UUID
// .jwkSelector(...) // Default selector picks first if multiple
.build();
// 4. Using RSA KeyPair with specific algorithm (PSS) and keyId
String rsaKeyId = "my-rsa-key-01";
NimbusJwtEncoder encoderWithRsaCustom = NimbusJwtEncoder.withKeyPair(rsaKeyPair)
.signatureAlgorithm(SignatureAlgorithm.PS256) // Specify PS256
.keyId(rsaKeyId) // Specify a key ID
.build();
// 5. Using EC KeyPair with defaults
KeyPair ecP256KeyPair = createEcKeyPair(Curve.P_256); // Key for default ES256
NimbusJwtEncoder encoderWithEcDefaults = NimbusJwtEncoder.withKeyPair(ecP256KeyPair)
// .signatureAlgorithm(SignatureAlgorithm.ES256) // Default for EC is ES256
// .keyId(UUID generated) // Default keyId is a random UUID
// .jwkSelector(...) // Default selector picks first if multiple
.build();
// 6. Using EC KeyPair with specific algorithm and keyId
KeyPair ecP521KeyPair = createEcKeyPair(Curve.P_521); // Key for ES512
String ecKeyId = "my-ec-key-01";
NimbusJwtEncoder encoderWithEcCustom = NimbusJwtEncoder.withKeyPair(ecP521KeyPair)
.signatureAlgorithm(SignatureAlgorithm.ES512) // Specify ES512
.keyId(ecKeyId) // Specify a key ID
.build(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @surajbh123! This PR will make using NimbusJwtEncoder
much simpler.
I've left my feedback inline. In addition to that, please ensure that your commit only has the signoff in the description and not in the title. Please also ensure that the description has the issue that this PR resolves:
Add NimbusJwtEncoder Builders
Closes gh-16267
Signed-off-by ...
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
Just one more thing, @surajbh123, when you submit, it will save you time in the review process if you run the following before submitting:
|
6370999
to
567e729
Compare
Working on reviews comments |
d6154cb
to
52ef97d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the quick turnaround, @surajbh123! This is coming together nicely. I've added some additional inline feedback.
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
2d1e2c6
to
24300cb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, @surajbh123, thanks for the updates and for your feedback.
Given some of the confusion I caused with some of my feedback, I wanted to take some more time with the PR before replying. You'll see that there are many more comments now with more specifics about what and why; hopefully that's clearer this time around.
To help with processing the comments, I also added a commit to my fork for you to review which applies my comments. I feel these changes make the builder classes easier to use and more maintainable by our team. You are welcome to review this commit to get a holistic view of the changes I'm proposing:
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
...oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoderTests.java
Outdated
Show resolved
Hide resolved
...oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoderTests.java
Outdated
Show resolved
Hide resolved
...oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoderTests.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
24300cb
to
263cf2f
Compare
263cf2f
to
27545c2
Compare
c6a6677
to
868539d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @surajbh123, I've left a piece of feedback inline that I believe will address your other concerns about how the JWS header is handled. If you haven't already, please see my sample commit in the following places for additional illustration:
- Remove
setJwsHeader
: jzheaux@7e1847d#diff-953f5c25f37accc56c99cbf372fde82b81359bdd56f85f8bf032226829c9cf36R68-L136 - Ensure
jwsHeader
is non-null in constructor: jzheaux@7e1847d#diff-953f5c25f37accc56c99cbf372fde82b81359bdd56f85f8bf032226829c9cf36R135 - Call new private
JWK
constructor: jzheaux@7e1847d#diff-953f5c25f37accc56c99cbf372fde82b81359bdd56f85f8bf032226829c9cf36R494
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
Outdated
Show resolved
Hide resolved
f3a62d8
to
c42d241
Compare
Closes spring-projectsgh-16267 Signed-off-by: Suraj Bhadrike <[email protected]>
517d9a4
to
01edd3b
Compare
- Simplify withKeyPair methods to match withPublicKey convention in NimbusJwtDecoder - Update tests to confirm support of other algorithms - Update constructor to apply additional JWK properties to the default header - Deduce the possibly algorithms for a given key based on curve and key size - Remove algorithm method from EC builder since the algorithm is determined by the Curve of the EC Key Issue spring-projectsgh-16267 Co-Authored-By: Suraj Bhadrike <[email protected]>
01edd3b
to
9410052
Compare
Thanks for your consistent effort on this PR, @surajbh123! It's now be merged into |
No description provided.