JWT decode issue in Spring Boot

In my spring Boot (2.7.3) application, I used Auth0/Spring Security to protect our backend APIs, but we encountered an exception like this when deploying into our staging environment.

2022-09-01 11:29:33.096 DEBUG 1 --- [or-http-epoll-1] o.s.s.w.s.a.AuthenticationWebFilter      : 
Authentication failed: An error occurred while attempting to decode the Jwt: class 
com.nimbusds.jose.JWEHeader cannot be cast to class com.nimbusds.jose.JWSHeader 
(com.nimbusds.jose.JWEHeader and com.nimbusds.jose.JWSHeader are in unnamed module of 
loader org.springframework.boot.loader.LaunchedURLClassLoader @43da41e)

Which caused the decoding jwt does not work. Not sure where is wrong in my config. I use Auth0/Spring before but not encountered this issue.

I just configured an issuerUri in Spring Security resource server to discover the Oauth/Oidc config, I need to use other config in Auth0, eg. jwsUris , publicKeyUri etc.

Finally, we found the frontend developer did not setup the auth0 audience.

But why auth0 return a wrong generated jwt token, not give a notice to developer that it is lack of audience ?

Hi @hantsy,

Yes, what you have observed is called an opaque token. This happens when the Auth0 audience is omitted from the authorization request. The token is still valid but is not considered a JWT token.

To generate a JWT token, you must specify the audience query parameter in the authorization request.

The telltale sign that the access token is not a JWT is when the audience is omitted, and you can’t decode it on jwt.io. Instead, it only works against the `/user info endpoint.

Thanks,
Rueben

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.