Document JWK property

Closes gh-10022
This commit is contained in:
Madhura Bhave 2017-08-29 12:51:14 -07:00
parent 8d7d044bef
commit 64ffcfc83f
3 changed files with 16 additions and 4 deletions

View File

@ -29,7 +29,6 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.autoconfigure.condition.NoneNestedConditions; import org.springframework.boot.autoconfigure.condition.NoneNestedConditions;
import org.springframework.boot.autoconfigure.condition.SpringBootCondition; import org.springframework.boot.autoconfigure.condition.SpringBootCondition;
import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2RestOperationsConfiguration.OAuth2ClientIdCondition;
import org.springframework.boot.bind.RelaxedPropertyResolver; import org.springframework.boot.bind.RelaxedPropertyResolver;
import org.springframework.boot.context.properties.ConfigurationProperties; import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.boot.web.servlet.FilterRegistrationBean; import org.springframework.boot.web.servlet.FilterRegistrationBean;

View File

@ -473,6 +473,7 @@ content into your application; rather pick only the properties that you need.
security.oauth2.resource.id= # Identifier of the resource. security.oauth2.resource.id= # Identifier of the resource.
security.oauth2.resource.jwt.key-uri= # The URI of the JWT token. Can be set if the value is not available and the key is public. security.oauth2.resource.jwt.key-uri= # The URI of the JWT token. Can be set if the value is not available and the key is public.
security.oauth2.resource.jwt.key-value= # The verification key of the JWT token. Can either be a symmetric secret or PEM-encoded RSA public key. security.oauth2.resource.jwt.key-value= # The verification key of the JWT token. Can either be a symmetric secret or PEM-encoded RSA public key.
security.oauth2.resource.jwk.key-set-uri= # The URI for getting the set of keys that can be used to validate the token.
security.oauth2.resource.prefer-token-info=true # Use the token info, can be set to false to use the user info. security.oauth2.resource.prefer-token-info=true # Use the token info, can be set to false to use the user info.
security.oauth2.resource.service-id=resource # security.oauth2.resource.service-id=resource #
security.oauth2.resource.token-info-uri= # URI of the token decoding endpoint. security.oauth2.resource.token-info-uri= # URI of the token decoding endpoint.

View File

@ -2582,7 +2582,7 @@ to decode tokens, so there is nothing else to do. If your app is a standalone se
need to give it some more configuration, one of the following options: need to give it some more configuration, one of the following options:
* `security.oauth2.resource.user-info-uri` to use the `/me` resource (e.g. * `security.oauth2.resource.user-info-uri` to use the `/me` resource (e.g.
`\https://uaa.run.pivotal.io/userinfo` on PWS) `\https://uaa.run.pivotal.io/userinfo` on Pivotal Web Services (PWS))
* `security.oauth2.resource.token-info-uri` to use the token decoding endpoint (e.g. * `security.oauth2.resource.token-info-uri` to use the token decoding endpoint (e.g.
`\https://uaa.run.pivotal.io/check_token` on PWS). `\https://uaa.run.pivotal.io/check_token` on PWS).
@ -2603,8 +2603,20 @@ URI where it can be downloaded (as a JSON object with a "`value`" field) with
{"alg":"SHA256withRSA","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"} {"alg":"SHA256withRSA","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"}
---- ----
WARNING: If you use the `security.oauth2.resource.jwt.key-uri` the authorization server Additionally, if your authorization server has an endpoint that returns a set of JSON Web Keys(JWKs),
needs to be running when your application starts up. It will log a warning if it can't you can configure `security.oauth2.resource.jwk.key-set-uri`. E.g. on PWS:
[indent=0]
----
$ curl https://uaa.run.pivotal.io/token_keys
{"keys":[{"kid":"key-1","alg":"RS256","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"]}
----
NOTE: Configuring both JWT and JWK properties will cause an error. Only one of `security.oauth2.resource.jwt.key-uri`
(or `security.oauth2.resource.jwt.key-value`) and `security.oauth2.resource.jwk.key-set-uri` should be configured.
WARNING: If you use the `security.oauth2.resource.jwt.key-uri` or `security.oauth2.resource.jwk.key-set-uri,
` the authorization server needs to be running when your application starts up. It will log a warning if it can't
find the key, and tell you what to do to fix it. find the key, and tell you what to do to fix it.
OAuth2 resources are protected by a filter chain with order OAuth2 resources are protected by a filter chain with order