Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ReactiveJwksSignature being created twice for EachBean when security-oauth2 dependency added - leading to double JWKS calls #1775

Closed
turneand opened this issue Aug 22, 2024 · 0 comments · Fixed by #1789
Closed

ReactiveJwksSignature being created twice for EachBean when security-oauth2 dependency added - leading to double JWKS calls #1775

turneand opened this issue Aug 22, 2024 · 0 comments · Fixed by #1789
Assignees
@sdelamo
Labels
status: in progress

Comments

@turneand
Copy link

Expected Behavior

A JWKS file should only be loaded once

Actual Behaviour

We're currently observing up to two calls per request when provided with a bearer token.
The calls not being cached is already covered under #1734, but this ticket specifically relates to multiple calls being made per request when the micronaut-security-oauth2 is added as a dependency.

Steps To Reproduce

  1. Create a new standalone project
  2. Add micronaut-security-oauth2 as a dependency
  3. Create a properties file with the property:
micronaut.security.token.jwt.signatures.jwks.auth0.url=http://localhost:8080/jwks.json
  1. Create a simple test object like:
@MicronautTest
class MyTest {
  // code equivalent to that in NimbusReactiveJsonWebTokenSignatureValidator 
  @Inject List<ReactiveSignatureConfiguration<SignedJWT>> signatures;

  @Test
  void test() {
    assertEquals(1, signatures.size());
  }
}

This test will fail as there are two instances present. Although a contrived example this is exactly what is happening in NimbusReactiveJsonWebTokenSignatureValidator and leading to our live code doing multiple calls.

I believe the issue is with JwksUriSignatureFactory.java that has:

@EachBean(JwksSignatureConfiguration.class)
public ReactiveJwksSignature createJwksUriSignature

BUT ReactiveJwksSignature.java already has an @EachBean on it, resulting in multiple definitions.

Environment Information

No response

Example Application

(see code example above, if not sufficient can provide a sample app)

Version

4.5.1
@sdelamo sdelamo self-assigned this Sep 6, 2024
sdelamo added a commit that referenced this issue Sep 6, 2024
@sdelamo
test: reproducer of Issue 1175
ae05eac 
See: #1775
@sdelamo sdelamo mentioned this issue Sep 6, 2024
Merged
@sdelamo sdelamo linked a pull request Sep 6, 2024 that will close this issue
fix: duplicate JwksSignature beans #1789
Merged
sdelamo added a commit that referenced this issue Sep 6, 2024
@sdelamo
don’t instantiate ReactiveJwksSignature in factory
7c88ede 
Close: #1775
@sdelamo sdelamo closed this as completed in 7a7c4da Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sdelamo sdelamo

Labels
status: in progress
Projects
4.6.2 Release
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: duplicate JwksSignature beans micronaut-projects/micronaut-security
2 participants
@sdelamo @turneand