{ "id": "security/oauth2-jwt-issuer-mismatch", "signature": "OAuth2 JWT token issuer mismatch: token was issued by a different identity provider", "signature_zh": "OAuth2 JWT令牌颁发者不匹配:令牌由不同的身份提供者颁发", "regex": "issuer mismatch|iss claim|token.*iss.*not match|invalid issuer", "domain": "security", "category": "auth_error", "subcategory": null, "root_cause": "The JWT token's 'iss' (issuer) claim does not match the expected issuer configured in the relying party, often due to using a token from a different OAuth2 provider or misconfigured issuer URL.", "root_cause_type": "generic", "root_cause_zh": "JWT令牌的'iss'(颁发者)声明与依赖方配置的预期颁发者不匹配,通常由于使用了来自不同OAuth2提供者的令牌或颁发者URL配置错误。", "versions": [ { "version": "Spring Security 6.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Keycloak 22.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Auth0 Java JWT 4.4", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "OAuth2 2.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Developers often set the issuer to the full URL with trailing slash mismatch (e.g., 'https://example.com/auth' vs 'https://example.com/auth/'), causing strict validation to fail.", "fail_rate": 0.45, "condition": "", "sources": [] }, { "action": "", "why_fails": "Disabling issuer validation entirely is a common but dangerous workaround that opens the system to token substitution attacks.", "fail_rate": 0.3, "condition": "", "sources": [] }, { "action": "", "why_fails": "Some try to use the 'aud' claim instead of 'iss' for validation, but this addresses a different security concern and doesn't fix the issuer mismatch.", "fail_rate": 0.25, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Ensure the issuer URL in the token matches exactly the expected issuer string (including protocol, host, path, and trailing slash). For Spring Security, configure: `spring.security.oauth2.resourceserver.jwt.issuer-uri=https://example.com/auth/realms/myrealm`", "success_rate": 0.85, "how": "Ensure the issuer URL in the token matches exactly the expected issuer string (including protocol, host, path, and trailing slash). For Spring Security, configure: `spring.security.oauth2.resourceserver.jwt.issuer-uri=https://example.com/auth/realms/myrealm`", "condition": "", "sources": [] }, { "action": "If using multiple identity providers, implement a custom JWT authentication converter that validates against a list of trusted issuers. Example: `JwtAuthenticationConverter` with a custom `JwtDecoder` that checks `iss` against a set.", "success_rate": 0.8, "how": "If using multiple identity providers, implement a custom JWT authentication converter that validates against a list of trusted issuers. Example: `JwtAuthenticationConverter` with a custom `JwtDecoder` that checks `iss` against a set.", "condition": "", "sources": [] } ], "workarounds_zh": [ "Ensure the issuer URL in the token matches exactly the expected issuer string (including protocol, host, path, and trailing slash). For Spring Security, configure: `spring.security.oauth2.resourceserver.jwt.issuer-uri=https://example.com/auth/realms/myrealm`", "If using multiple identity providers, implement a custom JWT authentication converter that validates against a list of trusted issuers. Example: `JwtAuthenticationConverter` with a custom `JwtDecoder` that checks `iss` against a set." ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-issuer-validation", "official_doc_section": null, "error_code": "A4002", "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.82, "resolvable": "true", "first_seen": "2023-08-15", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }