From 5da472f3beab8a8677f9e72fbf3449c2826142f8 Mon Sep 17 00:00:00 2001
From: Tibor Koch <koch.tibor@gmail.com>
Date: Tue, 20 Apr 2021 09:28:15 +0200
Subject: [PATCH] Fix ClassCastException

Closes gh-9651
---
 .../jwt/JwtDecoderProviderConfigurationUtils.java   |  3 ++-
 .../JwtDecoderProviderConfigurationUtilsTests.java  | 13 +++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtils.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtils.java
index ebe3c60ada..8bfef2f6c1 100644
--- a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtils.java
+++ b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtils.java
@@ -90,7 +90,8 @@ final class JwtDecoderProviderConfigurationUtils {
 			List<? extends JWK> jwks = jwkSource.get(new JWKSelector(jwkMatcher), null);
 			for (JWK jwk : jwks) {
 				if (jwk.getAlgorithm() != null) {
-					jwsAlgorithms.add((JWSAlgorithm) jwk.getAlgorithm());
+					JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(jwk.getAlgorithm().getName());
+					jwsAlgorithms.add(jwsAlgorithm);
 				}
 				else {
 					if (jwk.getKeyType() == KeyType.RSA) {
diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtilsTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtilsTests.java
index 31b3c0ace9..e63434b9e2 100644
--- a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtilsTests.java
+++ b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtilsTests.java
@@ -20,6 +20,7 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.Set;
 
+import com.nimbusds.jose.Algorithm;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.jwk.Curve;
 import com.nimbusds.jose.jwk.ECKey;
@@ -32,6 +33,7 @@ import com.nimbusds.jose.util.Base64URL;
 import org.junit.Test;
 
 import org.springframework.security.oauth2.jose.TestKeys;
+import org.springframework.security.oauth2.jose.jws.JwsAlgorithms;
 import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
 
 import static org.assertj.core.api.Assertions.assertThat;
@@ -73,4 +75,15 @@ public class JwtDecoderProviderConfigurationUtilsTests {
 		assertThat(algorithms).contains(SignatureAlgorithm.ES256, SignatureAlgorithm.ES384, SignatureAlgorithm.ES512);
 	}
 
+	// gh-9651
+	@Test
+	public void getSignatureAlgorithmsWhenAlgorithmThenParses() throws Exception {
+		JWKSource<SecurityContext> jwkSource = mock(JWKSource.class);
+		RSAKey key = new RSAKey.Builder(TestKeys.DEFAULT_PUBLIC_KEY).keyUse(KeyUse.SIGNATURE)
+				.algorithm(new Algorithm(JwsAlgorithms.RS256)).build();
+		given(jwkSource.get(any(JWKSelector.class), isNull())).willReturn(Collections.singletonList(key));
+		Set<SignatureAlgorithm> algorithms = JwtDecoderProviderConfigurationUtils.getSignatureAlgorithms(jwkSource);
+		assertThat(algorithms).containsOnly(SignatureAlgorithm.RS256);
+	}
+
 }