By: Maxim Samoussenko user 05 Feb 2019 at 2:11 a.m. CST

1 Response
Maxim Samoussenko gravatar
The token verification keys that are available at `/oxauth/restv1/jwks` endpoint contain both `"use": "sig"` and `"use": "enc"`. Spring Security does not support `enc` and fails the entire JWKS file thus becoming incompatible with `Gluu`. Details [here](https://github.com/spring-projects/spring-security-oauth/issues/1470). While Spring Security team is not prioritizing the issue, is it possible to fix it on Gluu side by removing `enc` keys from JWKS? At the moment we have to work with patched version of `spring-security-oauth2` which will have difficulties passing any security audit. Thanks.

By Michael Schwartz staff 09 Feb 2019 at 11:37 p.m. CST

Michael Schwartz gravatar
Probably not.The Spring OpenID module has sucked for a long time. my suggestion is to use the oxd middleware server. See https://oxd.gluu.org