Skip to content

OAuth2AuthorizationServerJwtAutoConfiguration uses @ConditionalOnClass incorrectly #45177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wilkinsona opened this issue Apr 14, 2025 · 1 comment
Closed

OAuth2AuthorizationServerJwtAutoConfiguration uses @ConditionalOnClass incorrectly #45177

wilkinsona opened this issue Apr 14, 2025 · 1 comment
Assignees
@wilkinsona
Labels
type: bug A general bug
Milestone
3.3.11

Comments

@wilkinsona
Copy link
Member

spring-boot/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerJwtAutoConfiguration.java

Lines 56 to 61 in 4cfc3b0

@Bean
@ConditionalOnClass(JwtDecoder.class)
@ConditionalOnMissingBean
JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}

This may break if JwtDecoder is not on the classpath as OAuth2AuthorizationServerJwtAutoConfiguration will still be loaded but it will declare a method whose signature refers to a class that does not exist.

spring-boot/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerJwtAutoConfiguration.java

Lines 63 to 70 in 4cfc3b0

@Bean
@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
@ConditionalOnMissingBean
JWKSource<SecurityContext> jwkSource() {
RSAKey rsaKey = getRsaKey();
JWKSet jwkSet = new JWKSet(rsaKey);
return new ImmutableJWKSet<>(jwkSet);
}

There's no check here for com.nimbusds.jose.jwk.source.JWKSource or com.nimbusds.jose.proc.SecurityContext being on the classpath and the class only checks for org.springframework.security.oauth2.server.authorization.OAuth2Authorization.

It could be that the presence of OAuth2Authorization implies that the other classes must be present, or it may be that we need to introduce some inner-classes.
@wilkinsona wilkinsona added the type: bug A general bug label Apr 14, 2025
@wilkinsona wilkinsona added this to the 3.3.x milestone Apr 14, 2025
@wilkinsona wilkinsona self-assigned this Apr 14, 2025
@wilkinsona wilkinsona mentioned this issue Apr 14, 2025
Open
@wilkinsona
Copy link
Member Author

The existing tests seem to imply that the conditions for the JwtDecoder bean should be separate to those of the auto-configuration as a whole so an inner-class is needed for the jwtDecoder bean definition.

@wilkinsona wilkinsona mentioned this issue Apr 14, 2025
Closed
@wilkinsona wilkinsona modified the milestones: 3.3.x, 3.3.11 Apr 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wilkinsona wilkinsona

Labels
type: bug A general bug
Projects
None yet
Milestone
3.3.11
Development

No branches or pull requests
1 participant
@wilkinsona