Issue
Is it possible the changes the token form JWT token to OAuth2 token.
Sample code from Daily Code BUffer href="https://github.com/shabbirdwd53/spring-security-tutorial/blob/main/Oauth-authorization-server/src/main/java/com/dailycodebuffer/oauthserver/config/AuthorizationServerConfig.java" rel="nofollow noreferrer">https://github.com/shabbirdwd53/spring-security-tutorial/blob/main/Oauth-authorization-server/src/main/java/com/dailycodebuffer/oauthserver/config/AuthorizationServerConfig.java
@Bean
public JWKSource<SecurityContext> jwkSource() {
RSAKey rsaKey = generateRsa();
JWKSet jwkSet = new JWKSet(rsaKey);
return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
}
private static RSAKey generateRsa() {
KeyPair keyPair = generateRsaKey();
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
return new RSAKey.Builder(publicKey)
.privateKey(privateKey)
.keyID(UUID.randomUUID().toString())
.build();
}
private static KeyPair generateRsaKey() {
KeyPair keyPair;
try {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
keyPair = keyPairGenerator.generateKeyPair();
} catch (Exception ex) {
throw new IllegalStateException(ex);
}
return keyPair;
}
/oauth2/token endpoint
{
"access_token": "eyJraWQiOiI3MzA5MmI1Yy00MDc0LTRkZjktOTdhNS1kMzA3N2E4NDNhYzciLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJjbGllbnQiLCJhdWQiOiJjbGllbnQiLCJuYmYiOjE2NjY2NzgyNTYsInNjb3BlIjpbInJlYWQiXSwiaXNzIjoiaHR0cDpcL1wvbG9jYWxob3N0OjgwMDAiLCJleHAiOjE2NjY2NzkxNTYsImlhdCI6MTY2NjY3ODI1Nn0.QJOMrp2unqLP-nGYo5lnlg1Q3_XXR2XZBTQqt3C9tkhiVs4I2dDjaWze1LrnjEnP2hfb89XqpT1k1AjR_ApsOx5H8PcqqZ0Eaq89ICX6bu3LFo2HApYlV5kRQTD3HQq0uiA_hn9TTdvBJhM5Kz9_0rPQVzBpNqWGnkWzGvbukRPgnBYLNi6lVwOG3mZxkP8aNiOn5Z5PMo9pll6idQLadJtFQ7fKTjG8mFqh1BtLwpmH4U60dzaieafCXwczywKq0xVzk9asB9c0-gw_BbeK4Vns3tp8AzCCyH4rRwy6ssVblUlycyss7scpY9s2ibUZ6N3xg97nowp9Ygqjv_bccw",
"scope": "read",
"token_type": "Bearer",
"expires_in": 899
}
Solution
Oauth(2) standard makes no assumption on the token format. Authorization-server can use absolutely what he wants to.
If authorization-server issues JWT tokens, then other OAuth2 actors can decode and validate tokens with no more than authorization-server public key.
Other token formats, are considered "opaque" and must be submitted to various authorization-server endpoints for validation, user details, etc.
Answered By - ch4mp
Answer Checked By - David Goodson (JavaFixing Volunteer)