Skip to content

Add possibility to customize JwkSource of NimbusJwtDecoder #17046

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add possibility to customize JwkSource of NimbusJwtDecoder #17046

wants to merge 1 commit into from

Conversation

marbon87
Copy link
Contributor

@marbon87 marbon87 commented May 6, 2025

We want to increase the cache-ttl of the NimbusJwtDecoder respectively the underlying JWKSource. Furthermore we want to use the refresh-ahead caching of JWKSource.

The com.nimbusds.jose.jwk.source.JWKSourceBuilder provides a lot of features to customize how jwks are cached / update etc. but currently there is no way to customize it.
The implemented possiiblity to customiz the used JWKSourceBuilder in NimbusJwtDecoder allows to use all features from JWKSourceBuilder.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 6, 2025
@marbon87 marbon87 force-pushed the main branch 3 times, most recently from 554e2cc to d3f0b27 Compare May 6, 2025 12:31
@marbon87
Add possibility to customize JwkSource of NimbusJwtDecoder
7da453e 
Signed-off-by: Mark Bonnekessel <2949525+marbon87@users.noreply.github.com>
@jzheaux jzheaux self-requested a review May 7, 2025 22:08
@jzheaux
Copy link
Contributor

jzheaux commented May 7, 2025
edited
Loading

Thanks for the PR, @marbon87! I'm curious if it would be easier to construct your own JWKSource instance?

If so, this PR instead might add something similar to NimbusReactiveJwtDecoder#withJwkSource.

@jzheaux jzheaux self-assigned this May 7, 2025
@jzheaux jzheaux added in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels May 7, 2025
@marbon87
Copy link
Contributor Author

marbon87 commented May 8, 2025

Hi @jzheaux, thanks for your feedback!

If i unterstand the current implementation correctly, adding a separate builder-creation method like NimbusReactiveJwtDecoder#withJwkSource would mean that the jwkSetUri must be specified explicitly / constructed manually. I prefer configuring the issuer-uri and let spring query the jwkSetUri by calling the well-known-config endpoint.

Furthermore i cannot use SpringJWKSource because it's private nor can i customize it because it's final.

Overall I have to write a lot more code as a user of spring-security, if i want to increase the timeouts.

@jzheaux
Copy link
Contributor

jzheaux commented May 9, 2025
edited
Loading

Possibly, though I wonder if it is as much as you are thinking (perhaps it's also more than I'm thinking). SpringJWKSource allows you to use RestOperations and Spring Cache instances. However, you are wanting to use Nimbus's caching. Because of that, I imagine you'll be satisfied with working with JWKSourceBuilder directly.

As for the URI, I think that Nimbus has an API that's quite adept at this:

AuthorizationServerMetadata metadata = AuthorizationServerMetadata
    .resolve(new Issuer("https://example.org/issuer"));
String jwkSetUri = metadata.getJwkSetUri();
// ...

It seems to me that this would result in the following:

@Bean
JwtDecoder jwtDecoder(String issuer) {
    AuthorizationServerMetadata metadata = AuthorizationServerMetadata
        .resolve(new Issuer("https://example.org/issuer"));
    String jwkSetUri = metadata.getJwkSetUri();
    JWKSource<SecurityContext> source = JWKSourceBuilder.create(new URL(jwkSetUri))
        // your caching settings
        .build();
    return NimbusJwtDecoder.withJwkSource(source)
        // your decoding settings
        .build();
}

Alternatively, Spring Cache is also quite adept at timeouts and other caching functions if you are open to working with that instead.

What complexities am I failing to consider?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux Awaiting requested review from jzheaux

Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marbon87 @jzheaux @spring-projects-issues