diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoders.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoders.java index 635e0a177d7..f8e0d3b8ae2 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoders.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoders.java @@ -18,6 +18,8 @@ import java.util.Map; +import com.nimbusds.jose.JOSEObjectType; +import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier; import org.springframework.security.oauth2.core.OAuth2TokenValidator; import org.springframework.util.Assert; @@ -111,7 +113,16 @@ private static JwtDecoder withProviderConfiguration(Map configur OAuth2TokenValidator jwtValidator = JwtValidators.createDefaultWithIssuer(issuer); String jwkSetUri = configuration.get("jwks_uri").toString(); NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri) - .jwtProcessorCustomizer(JwtDecoderProviderConfigurationUtils::addJWSAlgorithms).build(); + .jwtProcessorCustomizer(customizer -> { + customizer.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>( + new JOSEObjectType("jwt"), // for compatibility + new JOSEObjectType("application/at+jwt"), // according to RFC-9068 + new JOSEObjectType("at+jwt"), // according to RFC-9068 + null + )); + JwtDecoderProviderConfigurationUtils.addJWSAlgorithms(customizer); + }) + .build(); jwtDecoder.setJwtValidator(jwtValidator); return jwtDecoder; } diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidators.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidators.java index 4d13ce52ab2..1cc9c377579 100644 --- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidators.java +++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidators.java @@ -16,10 +16,6 @@ package org.springframework.security.oauth2.jwt; -import java.util.ArrayList; -import java.util.Arrays; -import java.util.List; - import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator; import org.springframework.security.oauth2.core.OAuth2TokenValidator; @@ -50,10 +46,9 @@ private JwtValidators() { * supplied */ public static OAuth2TokenValidator createDefaultWithIssuer(String issuer) { - List> validators = new ArrayList<>(); - validators.add(new JwtTimestampValidator()); - validators.add(new JwtIssuerValidator(issuer)); - return new DelegatingOAuth2TokenValidator<>(validators); + JwtTimestampValidator jwtTimestampValidator = new JwtTimestampValidator(); + JwtIssuerValidator jwtIssuerValidator = new JwtIssuerValidator(issuer); + return new DelegatingOAuth2TokenValidator<>(jwtTimestampValidator, jwtIssuerValidator); } /** @@ -69,7 +64,7 @@ public static OAuth2TokenValidator createDefaultWithIssuer(String issuer) { * supplied */ public static OAuth2TokenValidator createDefault() { - return new DelegatingOAuth2TokenValidator<>(Arrays.asList(new JwtTimestampValidator())); + return new DelegatingOAuth2TokenValidator<>(new JwtTimestampValidator()); } }