- changed status to resolved
Decoded JWT Token results in invalid content in newer versions
Issue #504
resolved
We use Spring Security for OAuth2 login using Keycloak. Until Spring Security 5.7.5 the JWT Token validation has worked perfectly.
As per this GitHub Issue, it looks like the Nimbus-JOSE-JWT changed its JSON parser library from json-smart to GSON in a patch/minor version of the library. This results in a different handling/parsing of JSON, namely content is now stored as a LinkedTreeMap instead of a JSONObject.
This change in the behavior should at least be documented.
Comments (1)
-
- Log in to comment
The change occurred in version version 9.24 (2022-08-16), see change log:
https://bitbucket.org/connect2id/nimbus-jose-jwt/src/44437a689f3fbc4198417cfcc94f345f5abd772e/CHANGELOG.txt#lines-1445
Client code should always rely on the Java interface / API used to represents the JSON objects(
java.util.Map) and not on the underlying implementation (HashMapvsLinkedTreeMap).