Spring-security-oauth: Add support for RFC 7516 JWE in spring-security-jwt

Created on 13 Sep 2015  Â·  7Comments  Â·  Source: spring-projects/spring-security-oauth

It would be nice if spring-security-jwt provided RFC 7516 json web encryption on top of jwt. A la nimbus-jose-jwt

Most helpful comment

We are not adding any new features to this project as it's in maintenance mode. Our efforts our focused in building out the new OAuth support in Spring Security 5.x. JWE support will be added to Spring Security 5.x.

All 7 comments

How about writing a spring wrapper for nimbus-jose-jwt?
Implement a public class NimbusJwtAccessTokenConverter implements TokenEnhancer, AccessTokenConverter ... that is parallel to the existing JwtAccessTokenConverter

Could It be implemented in the spring-security-oauth/spring-security-oauth2 module as an alternative to spring-security-jwt with the nimbus-jose-jwt (License ASF2) dependency as optional?

I like the idea of wrapping an existing lib, here's another one:
https://bitbucket.org/b_c/jose4j/wiki/Home

On Thu, Oct 8, 2015 at 2:52 PM, George Spalding [email protected]
wrote:

How about writing a spring wrapper for nimbus-jose-jwt?
Implement a public class NimbusJwtAccessTokenConverter implements
TokenEnhancer, AccessTokenConverter ... that is parallel to the existing
JwtAccessTokenConverter

Could It be hosted in the spring-security-jwt with the nimbus-jose-jwt
dependency as optional?

—
Reply to this email directly or view it on GitHub
https://github.com/spring-projects/spring-security-oauth/issues/575#issuecomment-146652676
.

I set up a sonar instance to do a quick (rather un-scientific) static analysis of the two projects.
Looks like nimbus comes out as a winner there

Nimbus commit: 97902155b45833ee9d604b0ef0d0c4759b1432db
Jose4J commit: e4ca546a19e775cdde16c98d8e23e793ac76a482

| metric | Nimbus JOSE+JWT 4.3-SNAPSHOT | jose4j 0.4.5-SNAPSHOT |
| --- | --- | --- |
| Lines of code | 8,788 | 9,397 |
| Complexity | 2,226 | 1,902 |
| Comments (%) | 42.5% | 10.1% |
| Duplicated lines (%) | 6.0% | 1.2% |
| Issues | 412 | 489 |
| Coverage | 82.3% | 74.1% |
| Complexity /class | 14.2 | 10.7 |
| Complexity /function | 3.0 | 2.2 |
| Complexity /file | 14.8 | 14.1 |
| Public documented API (%) | 99.7% | 26.6% |
| Public undocumented API | 2 | 580 |
| Package tangle index | 4.9% | 17.8% |
| Package cycles | 3 | 22 |
| Duplicated blocks | 32 | 13 |

Hi, for info I found some incompatibility at runtime between spring-boot-test in web environment and nimbus JOSE due to the following shared dependency :

<groupId>net.minidev</groupId>      
<artifactId>json-smart</artifactId>
Caused by: java.lang.ClassNotFoundException: net.minidev.json.writer.JsonReaderI

Seems like nimbus JOSE use a too old version (1.3.1) in respect of Spring-test (2.2.1). Forcing 2.2.1 seems to work fine with JOSE in my case, but it would be nice if the nimbus team could upgrade this dependency.

It would be nice to get this so that OAuth2 via Spring can be used in a safer manner in scenarios with high security requirements. It is generally not a bad idea to hide token content from attackers, especially when there is a lot of content in (almost or fully) self-contained tokens, that without encryption leak information about functional areas, roles, rights, internal entity IDs, etc.

Hi is this feature in any backlog now?... we are going to use nimbus to customize the jwt converter as we really need JWE working....

We are not adding any new features to this project as it's in maintenance mode. Our efforts our focused in building out the new OAuth support in Spring Security 5.x. JWE support will be added to Spring Security 5.x.

Was this page helpful?
0 / 5 - 0 ratings