Spring Cloud Services (SCS) broker fails to start when JWT Issuer URI is reconfigured with Tanzu Application Service (TAS) UAA
search cancel

Spring Cloud Services (SCS) broker fails to start when JWT Issuer URI is reconfigured with Tanzu Application Service (TAS) UAA

book

Article ID: 297103

calendar_today

Updated On:

Products

Support Only for Spring

Issue/Introduction

Spring Cloud Services (SCS) 3.x broker on the Tanzu Application Service (TAS) platform fails to start when UAA JWT Issuer URI is configured as any value other than the default value.

Resolution

Currently, the Spring Cloud Services (SCS) 3.x broker recognizes https://uaa.<SYSTEM_DOMAIN>/oauth/token as a valid JWT Issuer URI. However, this is not configurable with SCS.

On the TAS tile, the URI can be configured as a different value other than the default value at TAS > UAA > JWT Issuer URI

In this case, the SCS broker fails to start because of a JWT issuer URI verification failure. The error is shown below and is observed in the SCS broker logs:

"The Issuer "***" provided in the configuration did not match the requested issuer "https://uaa.******/oauth/token" 
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'securityWebFilterChain' defined in class path resource [io/pivotal/spring/cloud/servicebroker/BrokerSecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.web.server.SecurityWebFilterChain]: Factory method 'securityWebFilterChain' threw exception; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'jwtDecoderByIssuerUri' defined in class path resource [org/springframework/boot/autoconfigure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerJwkConfiguration$JwtConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.jwt.ReactiveJwtDecoder]: Factory method 'jwtDecoderByIssuerUri' threw exception; nested exception is java.lang.IllegalStateException: The Issuer "https://login.******/oauth/token" provided in the configuration did not match the requested issuer "https://uaa.******/oauth/token"
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:655) ~[spring-beans-5.2.11.RELEASE.jar!/:5.2.11.RELEASE]
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:635) ~[spring-beans-5.2.11.RELEASE.jar!/:5.2.11.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1336) ~[spring-beans-5.2.11.RELEASE.jar!/:5.2.11.RELEASE]


Until this issue is fixed in future SCS releases, it is recommended to keep using the default JWT Issuer URI value.


Powered by Wolken Software