このバージョンはまだ開発中であり、まだ安定しているとは見なされていません。最新の安定バージョンについては、Spring Security 6.4.5 を使用してください! |
OAuth 2.0 の変更
JwtTypeValidator で typ ヘッダーを検証する
Spring Security 7 の NimbusJwtDecoder は、typ ヘッダー検証を Nimbus ではなく JwtTypeValidator に移行します。これにより、NimbusJwtDecoder が Nimbus ではなく NimbusJwtDecoder でクレームを検証するのと同等になります。
jwtProcessorCustomizer メソッドで Nimbus のデフォルトの型検証を変更する場合は、それを JwtTypeValidator または独自の OAuth2TokenValidator の実装に移動する必要があります。
To check if you are prepared for this change, add the default JwtTypeValidator to your list of validators, as this will be included by default in 7:
Java
Kotlin
@Bean
JwtDecoder jwtDecoder() {
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
.validateTypes(false) (1)
// ... your remaining configuration
.build();
jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
new JwtIssuerValidator(location), JwtTypeValidator.jwt())); (2)
return jwtDecoder;
}@Bean
fun jwtDecoder(): JwtDecoder {
val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
.validateTypes(false) (1)
// ... your remaining configuration
.build()
jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
JwtIssuerValidator(location), JwtTypeValidator.jwt())) (2)
return jwtDecoder
}| 1 | - Switch off Nimbus verifying the typ (this will be off by default in 7) |
| 2 | - Add the default typ validator (this will be included by default in 7) |
Note the default value verifies that the typ value either be JWT or not present, which is the same as the Nimbus default. It is also aligned with RFC 7515 [IETF] (英語) which states that typ is optional.
I’m Using A DefaultJOSEObjectTypeVerifier
If you have something like the following in your configuration:
Java
Kotlin
@Bean
JwtDecoder jwtDecoder() {
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
.jwtProcessorCustomizer((c) -> c
.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>("JOSE"))
)
.build();
return jwtDecoder;
}@Bean
fun jwtDecoder(): JwtDecoder {
val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
.jwtProcessorCustomizer {
it.setJWSTypeVerifier(DefaultJOSEObjectTypeVerifier("JOSE"))
}
.build()
return jwtDecoder
}Then change this to:
Java
Kotlin
@Bean
JwtDecoder jwtDecoder() {
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
.validateTypes(false)
.build();
jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
new JwtIssuerValidator(location), new JwtTypeValidator("JOSE")));
return jwtDecoder;
}@Bean
fun jwtDecoder(): JwtDecoder {
val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
.validateTypes(false)
.build()
jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
JwtIssuerValidator(location), JwtTypeValidator("JOSE")))
return jwtDecoder
}To indicate that the typ header is optional, use #setAllowEmpty(true) (this is the equivalent of including null in the list of allowed types in DefaultJOSEObjectTypeVerifier).
I want to opt-out
If you want to keep doing things the way that you are, then the steps are similar, just in reverse:
Java
Kotlin
@Bean
JwtDecoder jwtDecoder() {
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
.validateTypes(true) (1)
.jwtProcessorCustomizer((c) -> c
.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier<>("JOSE"))
)
.build();
jwtDecoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(
new JwtTimestampValidator(), new JwtIssuerValidator(location))); (2)
return jwtDecoder;
}@Bean
fun jwtDecoder(): JwtDecoder {
val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
.validateTypes(true) (1)
.jwtProcessorCustomizer {
it.setJWSTypeVerifier(DefaultJOSEObjectTypeVerifier("JOSE"))
}
.build()
jwtDecoder.setJwtValidator(DelegatingOAuth2TokenValidator(
JwtTimestampValidator(), JwtIssuerValidator(location))) (2)
return jwtDecoder
}| 1 | - leave Nimbus type verification on |
| 2 | - specify the list of validators you need, excluding JwtTypeValidator |
For additional guidance, please see the JwtDecoder Validators section in the reference.
