Allow at+jwt, according to RFC-9068

ymajoros2 · ymajoros2 · commit c15b299e51d0 · 2023-07-04T20:51:45.000+02:00
Closes 13185
diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoders.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoders.java
@@ -18,6 +18,8 @@
 
 import java.util.Map;
 
+import com.nimbusds.jose.JOSEObjectType;
+import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
 import org.springframework.util.Assert;
 
@@ -111,7 +113,16 @@ private static JwtDecoder withProviderConfiguration(Map<String, Object> configur
 		OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefaultWithIssuer(issuer);
 		String jwkSetUri = configuration.get("jwks_uri").toString();
 		NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri)
-				.jwtProcessorCustomizer(JwtDecoderProviderConfigurationUtils::addJWSAlgorithms).build();
+				.jwtProcessorCustomizer(customizer -> {
+					customizer.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>(
+							new JOSEObjectType("jwt"), // for compatibility
+							new JOSEObjectType("application/at+jwt"), // according to RFC-9068
+							new JOSEObjectType("at+jwt"), // according to RFC-9068
+							null
+					));
+					JwtDecoderProviderConfigurationUtils.addJWSAlgorithms(customizer);
+				})
+				.build();
 		jwtDecoder.setJwtValidator(jwtValidator);
 		return jwtDecoder;
 	}
diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidators.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtValidators.java
@@ -16,10 +16,6 @@
 
 package org.springframework.security.oauth2.jwt;
 
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-
 import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
 
@@ -50,10 +46,9 @@ private JwtValidators() {
 	 * supplied
 	 */
 	public static OAuth2TokenValidator<Jwt> createDefaultWithIssuer(String issuer) {
-		List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
-		validators.add(new JwtTimestampValidator());
-		validators.add(new JwtIssuerValidator(issuer));
-		return new DelegatingOAuth2TokenValidator<>(validators);
+		JwtTimestampValidator jwtTimestampValidator = new JwtTimestampValidator();
+		JwtIssuerValidator jwtIssuerValidator = new JwtIssuerValidator(issuer);
+		return new DelegatingOAuth2TokenValidator<>(jwtTimestampValidator, jwtIssuerValidator);
 	}
 
 	/**
@@ -69,7 +64,7 @@ public static OAuth2TokenValidator<Jwt> createDefaultWithIssuer(String issuer) {
 	 * supplied
 	 */
 	public static OAuth2TokenValidator<Jwt> createDefault() {
-		return new DelegatingOAuth2TokenValidator<>(Arrays.asList(new JwtTimestampValidator()));
+		return new DelegatingOAuth2TokenValidator<>(new JwtTimestampValidator());
 	}
 
 }
