I'm implementing an OAuth2 Authorization Server using spring-security-oauth2. The server is configured to issue JWTs, which works fine so far.
Now I would like to sign the tokens. There is a lot of code and examples available that verifies tokens and signatures on client side.
My question: Do spring-security provides an API to create such tokens in an easy and accessible way?
Details: If I understand the specs correctly, the Authorization Server may issue JWTs like this:
Header:
{
"alg": "RS256",
"typ": "JWT",
"kid": "id_of_key"
}
Payload:
{
"exp": 1541868374,
"user_name": "[email protected]",
"jti": "d6a501bf-ebce-4011-9e18-a77f3303c34b",
"client_id": "my_very_cool_app",
"scope": [
"email"
]
}
and some HTTP endpoint, e.g. /.well-known/jwks.json
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"kid": "id_of_key",
"n": "public key"
}
]
}
Please note the kid attribute.
While it's easy to sign tokens by calling JwtAccessTokenConverter.setKeyPair(KeyPair) during setup, I do not find any support to publish the keys.
In JwtAccessTokenConverter.encode(OAuth2AccessToken, OAuth2Authentication) there's a call to org.springframework.security.jwt.JwtHelper.encode(CharSequence, Signer).
I could copy the JwtAccessTokenConverter and migrate that call to JwtHelper.encode(CharSequence, Signer, Map<String, String>), providing the kid manually, but this solution sounds a little bit... uncomfortable.
Any advice is kindly appreciated.