A custom JwtTypeValidator that replaces the default can no longer be configured

[burl21]

After upgrading to Spring Boot 4 the behavior of JwkSetUriJwtDecoderBuilderCustomizer has changed. It is no longer possible to disable JWT type header validation . The customizer appears to be ignored, and the resulting JwtDecoder still enforces type validation.

Spring Boot v4.0.0
Jdk v25
Module spring-boot-starter-security-oauth2-resource-server v4.0.0
Properties: spring.security.resourceserver.jwt.issuer-uri: https://identity-stage.aaaa.com

In previous versions Spring Boot 3.5.x the following configuration worked as expected:

public final class CustomDecoderBuilderCustomizer implements JwkSetUriJwtDecoderBuilderCustomizer {
  @Override
  public void customize(NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder builder) {
    builder.validateType(false);
  }
}

After the upgrade, this customization is not applied, and the decoder continues validating the typ header. This results in rejected tokens that previously worked.

Authentication failed with provider JwtAuthenticationProvider since An error occurred while attempting to decode the Jwt: the given typ value needs to be one of [JWT]

While debugging, I noticed that during the creation of the JwtDecoder bean, four validators are added, including JwtTypeValidator, in OAuth2ResourceServerJwtConfiguration#jwtDecoderByIssuerUri().

In v3.5.7

[wilkinsona]

This property is incorrect:

 spring.security.resourceserver.jwt.issuer-uri

It should be this:

spring.security.oauth2.resourceserver.jwt.issuer-uri

If correcting the property does not help and you would like us to spend some more time investigating, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.

[ngocnhan-tran1996]

Spring Security 7.0 is integrated with Spring Boot 4.0

And the changes are mentioned in the “Migrating to 7.0” section.

JwtTypeValidator#jwt is added by all createDefaultXXX methods

Reference
https://docs.spring.io/spring-security/reference/migration/servlet/oauth2.html

[burl21]

@wilkinsona yes it was my mistake when converting to properties, original:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://identity-stage.aaaaa.com

sample

[wilkinsona]

Thanks for the sample.

The customizer appears to be ignored

It isn't ignored. It's called as expected on first use of the decoder. The problem is that it no longer has any effect due to changes in Spring Security 7 that @ngocnhan-tran1996 linked to above (thanks, @ngocnhan-tran1996).

I'm not sure how the Security team now intend for validation to be disabled completely which, I think, is what you were doing previously. Perhaps you could try defining your own JwtTypeValidator bean with the valid types that you need instead? This should then be picked up by Spring Security and used instead of the default JwtTypeValidator that only considers JWT to be a valid type.

[burl21]

Now, if you try to define a JwtTypeValidator bean, Spring Boot ends up configuring two different validators for the JwtEncoder bean through
jwtDecoder.setJwtValidator(getValidators(JwtValidators.createDefaultWithIssuer(issuerUri)));.
The getValidators(...) returns both the default (DelegatingOAuth2TokenValidator) and the custom one. Since the default validator is applied first, the custom validator is ignored.

It seems that the workaround is to define a custom SupplierJwtDecoder bean, although I may be mistaken.

[wilkinsona]

You're right. Unfortunately, the wrapping in an DelegatingOAuth2TokenValidator that occurs prevents the default JwtTypeValidator from being omitted. I think we can improve that in Boot so that a JwtTypeValidator bean will be able to replace the default.