AutoConfigure RSAKey, JwtEncoder and JwtDecoder

[hannah23280]

Hi,
In the context of spring security, is it possible for spring boot to autoconfigure bean for RSAKey (default to RSA, 2048), JwtEncoder (default to using RSAKey) and JwtDecoder (default to using RSAKey).
This can really help to save time for the developer, instead of developer having to write these beans again and again. Any overriding of default configuration can be done via configuration files

[philwebb]

Can you provide some more details of what you're looking for? We do already have some code in OAuth2ResourceServerJwtConfiguration which creates a JwtDecoder.

Perhaps you can provide a sample application with the type of configuration you usually create.

[hannah23280]

Hi,

I wanted to create a simple application that upon verifies the login credentials submitted via a typical form, and then generate jwt token to the browser. So the jwt token will be sent to backend for every page navigation. No Oauth2 server is involved.

In that case, i have to manually write my own JwtDecoder and JwtEncoder. That is why i raise this issue is to hope to a JwtDecoder and JwtEncoder bean can be auto-created for us during application boot up

From the source code of OAuth2ResourceServerJwtConfiguration, it seems that spring boot able to automatically create a JwtDecoder bean for us. But sadly no JwtEncoder bean.

[philwebb]

@hannah23280,

We're discussing this again today and we wondered if you could provide a sample application that shows how you are currently configuring your beans. We want to make sure that we understand the use-case and that it will be broadly applicable.

[hannah23280]

Hi,
I don't have a sample application with me currently, but i did have made personal notes on the manual way of creating the JwtEncoder. Something as shown below

Generate RSA Key Pair

@Bean 
RSAKey rsaKey() throws NoSuchAlgorithmException{
		//Below generarte key pair via JDK api.
		var generator = KeyPairGnerator.getInstance("RSA");
		generator.initialize(2048);
		KeyPair keyPair = generator.generateKeyPair();
		
		//Then create an instance of RSAKey using the above keypair
    return new RSAkey.Builder((RSAPublicKey)KeyPair.getPublic()).privateKey(keyPair.getPrivate())
					.KeyID(UUID.randomUUID().toString())
					.build();

}

Create JwtEncoder

@Bean
JwtEncode jwtEncoder (RSAKey rsaKey){
		return new NimbusJwtEncoder(new ImmutableJWKSet<>(new JWKSet(rsaKey))
}

Generate token

@PostMapping
public String generateToken(Authentication auth, JwtEncoder jwtEncoder){
		JwtClaimsSet claims = JwtClaimsSet.builder().issuedAt (Instant.now())
									.expiresAt (now.plus(1, ChronoUnit.HOURS))
									.subject(authentication.getName())
									.build();
			
			//JwtEncoderParameters is a holder of parameters containing the JWS headers and JWT Claims Set.
			return jwtEncoder.encode(JwtEncoderParameters.from(claims)).getTokenValue();


}

[philwebb]

Thanks for the additional information. I'm not sure this pattern is generally applicable and something that will suit every application. As such, I don't think we'll be able to provide any auto-configuration ourselves for this.

If you're finding this pattern common in your own applications you could extract the code to your own auto-configuration module to make it easier to apply.

Thanks anyway for the suggestion.