Wrong truststore used for JWT verification

Hello,

we recently encountered an issue when connecting with a keycloak on a dev stage which was using a self signed certificate.
Even though we added the certificate to our truststore and set the accoring system properies (“javax.net.ssl.truststore” + password) to the proper location the jwt decoder that was used did not find the matching certificate as it was most probably using a different truststore.

How we recognized the issue:
At first we just had failing requests with Error Code 500 without any Exception in the logs. After some debugging we found the following error message as the cause :

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Based on our investigations we saw that our truststore we provided was not taken into account at all here. Soehow we got pointed towards the need to configure a RestTemplate in a way that it is forced to use a certain truststore but just setting up a bean for it was not enough.
We now found a workaround which includes setting up a custom jwtDecoder and it works fine however I would like to know if this issue already occured in anothe project and how it was fixed there?

Best regards,
Philipp

Hi Philipp,

we encountered a similar issue: The default JWT decoder provided by Spring security does not respect the proxy settings of the JVM.
Our solution was to overwrite the JwtDecoder and supply our own RestTemplate.

In my opinion this should be fixed by spring security.

Regards

hey @philipp-mild-glyph,
did you succeeded to fix your issue with the hint provided? If it’s still valid, please let us know!

Hi @nico-round-kernel,
thanks for the reminder. The problem was more or less already solved, when I asked the question. I just wanted to make sure that we used the correct workaround and didn’t miss any better solution that already existed.
We have the same solution in place as @alexander-async-gorge proposed.

Thanks and best regards,
Philipp