We’re creating an OIDC conformant API, sending in JWT Access Tokens. We’re using the Spring Security quickstart as a starting point.
It looks like the Spring Security quickstart does some JWT token validation, but it does not validate the RS256 signature of the token via the cert. You can get the quickstart up and running without pointing it at the RS256 cert. Is there a quick way to get the quickstart to do RS256 cert validation before allowing a request into the API? I believe previous quickstarts had a way to provide the RS256 cert via properties. We’re not seeing that on the latest quickstart.
(follow-up to @jmangelo answer)
We seem to be getting different results than you. We are using the quickstart you referenced, and we are providing the issuer property. We see the following:
No token: request is blocked as expected
Valid token: request is allowed as expected
Token with 1 character of the signature deleted: request is blocked as expected
Token with 1 character of the signiture **CHANGED**: request is allowed - UNEXPECTED
You mention the library CAN perform a call to
https://[our_account].auth0.com/.well-known/jwks.json. We’re not seeing any requests for this resource using the baseline quickstart. Is there anything we need to do to make the Spring library perform this extra request? I see the node quickstart has some extra setup to configure the RS256 secret, but Spring just requires the Issuer and API Audience. Maybe the baseline quickstart won’t do the cert validation by default as it’s currently documented?
We used a different local proxy and with that proxy we do see requests to
https://[our_account].auth0.com/.well-known/jwks.json. That made us dig a little further. It looks like if you CHANGE the LAST CHARACTER of the JWT signature, then the request is allowed in. But if you change other characters it seems to not like the signature.
Could the last character be containing padding (or similar) which is deemed less critical during validation? Looks like the JWT signature is 99% validated. We were just changing a character that doesn’t matter during our validation testing?