How-to: Override default algorithm used to sign Jwt

[sapradhan]

Expected Behavior
One should be able to choose Signature Algorithm used to sign access tokens.

Current Behavior
No configuration parameter exists in TokenSettings to choose signature algo for access token. It is hard coded as RS256 while generating Jwt.

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/token/JwtGenerator.java

Lines 93 to 102 in aed93f3

	JwsAlgorithm jwsAlgorithm = SignatureAlgorithm.RS256;
	if (OidcParameterNames.ID_TOKEN.equals(context.getTokenType().getValue())) {
	// TODO Allow configuration for ID Token time-to-live
	expiresAt = issuedAt.plus(30, ChronoUnit.MINUTES);
	if (registeredClient.getTokenSettings().getIdTokenSignatureAlgorithm() != null) {
	jwsAlgorithm = registeredClient.getTokenSettings().getIdTokenSignatureAlgorithm();
	}
	} else {
	expiresAt = issuedAt.plus(registeredClient.getTokenSettings().getAccessTokenTimeToLive());
	}

Context
Because of this, cannot choose another algorithm like HSxxx or EDxxx for access tokens.
TokenSettings does allow to configuring signing algo for Id Token using idTokenSignatureAlgorithm(SignatureAlgorithm idTokenSignatureAlgorithm) method in the Builder.

[jgrandja]

@sapradhan

One should be able to choose Signature Algorithm used to sign access tokens.

Not all access tokens are signed. This only applies to OAuth2TokenFormat.SELF_CONTAINED access tokens, e.g. Jwt.

However, some clients may be configured for opaque tokens (OAuth2TokenFormat.REFERENCE), and therefore the proposed TokenSettings.accessTokenSignatureAlgorithm would be redundant. Furthermore, there are no specifications that define a default algorithm for access tokens so I'm reluctant on adding this enhancement since there is no standard defined.

Because of this, cannot choose another algorithm like HSxxx or EDxxx for access tokens.

You can override the default algorithm by configuring an OAuth2TokenCustomizer @Bean:

@Bean
OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
	return context -> {
		if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
			context.getJwsHeader().algorithm(MacAlgorithm.HS512);
		}
	};
}

This should work for your configuration.

[sapradhan]

@jgrandja Thank you for the explanation, with that I am in agreement with your view on not having JWT specific setting on access token settings in general.

I also tried out your suggestion and it works for my use case. However this was not obvious to me, as a specific algorithm setting is exists for idToken. Should we have a how-to for this use case somewhere? (please let me know if one exists already)

[jgrandja]

@sapradhan

Should we have a how-to for this use case somewhere?

Yes, this question will come up again so we'll document it in the reference. I changed the subject of the issue.

I'll close the associated PR and we'll address this soon in the reference manual.

[TelmaCorreia]

👋 @jgrandja I also want to use ES256 but the solution proposed above is not working for me. I did some debugging and I noticed that RS256 is also hardcoded here and then jwt encoding is always using RS256.

Am I missing something?

[sapradhan]

@TelmaCorreia if you follow the discussion above, this is by design. Access token does not have to be a JWT and thus it does not make sense to put a JWT signing algorithm in access token setting. Did you try setting up a token customizer and change algorithm to your preference -

@Bean
OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
	return context -> {
		if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
			context.getJwsHeader().algorithm(SignatureAlgorithm.ES256);
		}
	};
}

You may also have to setup a EC256 compatible JWKSource