Revert "NIFI-15211 Replaced deprecated setSigningKeyResolver in JwtParserBuilder for NiFi Registry (#10521)"

exceptionfactory · exceptionfactory · commit 40b8e7548b63 · 2025-11-13T08:13:25.000-06:00
This reverts commit 06edc1f. Signed-off-by: David Handermann <exceptionfactory@apache.org>
diff --git a/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.java b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.java
@@ -23,6 +23,7 @@
 import io.jsonwebtoken.JwtException;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.MalformedJwtException;
+import io.jsonwebtoken.SigningKeyResolverAdapter;
 import io.jsonwebtoken.UnsupportedJwtException;
 import io.jsonwebtoken.security.Keys;
 import io.jsonwebtoken.security.MacAlgorithm;
@@ -100,18 +101,21 @@ public Set<String> getUserGroupsFromToken(final Jws<Claims> jws) throws JwtExcep
 
     private Jws<Claims> parseTokenFromBase64EncodedString(final String base64EncodedToken) throws JwtException {
         try {
-            return Jwts.parser().keyLocator(header -> {
-                if (header instanceof JwsHeader) {
-                    final String keyId = (String) header.get(KEY_ID_CLAIM);
+            return Jwts.parser().setSigningKeyResolver(new SigningKeyResolverAdapter() {
+                @Override
+                public byte[] resolveSigningKeyBytes(JwsHeader header, Claims claims) {
+                    final String identity = claims.getSubject();
+
+                    // Get the key based on the key id in the claims
+                    final String keyId = claims.get(KEY_ID_CLAIM, String.class);
                     final Key key = keyService.getKey(keyId);
 
                     // Ensure we were able to find a key that was previously issued by this key service for this user
                     if (key == null || key.getKey() == null) {
-                        throw new UnsupportedJwtException("Unable to determine signing key for kid: " + keyId);
+                        throw new UnsupportedJwtException("Unable to determine signing key for " + identity + " [kid: " + keyId + "]");
                     }
-                    return Keys.hmacShaKeyFor(key.getKey().getBytes(StandardCharsets.UTF_8));
-                } else {
-                    throw new UnsupportedJwtException("JWE is not currently supported");
+
+                    return key.getKey().getBytes(StandardCharsets.UTF_8);
                 }
             }).build().parseSignedClaims(base64EncodedToken);
         } catch (final MalformedJwtException | UnsupportedJwtException | SignatureException | ExpiredJwtException | IllegalArgumentException e) {
