JwtAccessTokenConverter: Unable to create an RSA verifier from verifierKey

A JwtAccessTokenConverter can be configured to use either a MAC key or a RSA key pair for signature generation and verification.

As the message provided in the warning states, you are probably using a MAC key and not a RSA key pair. As a consequence, it probably will not suppose a problem, but I am afraid that you cannot get rid of the warning due to the way in which the library is implemented.

As you can see in the source code of JwtAccessTokenConverter, the warning is issued when trying creating a RsaVerifier for signature verification:

SignatureVerifier verifier = new MacSigner(verifierKey);
try {
  verifier = new RsaVerifier(verifierKey);
catch (Exception e) {
  logger.warn("Unable to create an RSA verifier from verifierKey (ignoreable if using MAC)");

The exception is raised in the RsaVerifier constructor because it is trying parsing the verification key as a RSA public key, when probably you are using a MAC key instead:

public RsaVerifier(String key) {
  this(RsaKeyHelper.parsePublicKey(key.trim()), RsaSigner.DEFAULT_ALGORITHM);

Here, RsaKeyHelper will unsuccessfully try parsing the provided key as neither a ssh nor pem key, because it actually is not that type of key.

The value of this verification key is assumed to be the same provided as signing key as argument of the setSigningKey method for MAC keys.

If you are actually working with RSA keys you can use the setVerifierKey or setKeyPair methods to provide the cryptographic RSA material.

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top