New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auto-configuration for spring-security-oauth2-resource-server by oidc issuer location #14190
Conversation
return new NimbusJwtDecoderJwkSupport( | ||
this.properties.getJwt().getJwk().getSetUri()); | ||
} | ||
|
||
@Bean | ||
@ConditionalOnProperty(name = "spring.security.oauth2.resource.jwt.jwk.oidc-issuer-location") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The property should not use the jwk
group as this configuration isn't related to it. The property should be more like:
spring.security.oauth2.resource.jwt.oidc-issuer-location
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, it's my mistake, I've fixed it
.withClassLoader(new FilteredClassLoader(JwtAuthenticationToken.class)) | ||
.run((context) -> assertThat(getBearerTokenFilter(context)).isNull()); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The other option is to fail hard if both are specified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From my point of view the second option will be better but now jwk-set-uri
wins.
I have added test for checking it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that jwk-set-uri should win because it is more specific.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed that jwk-set-uri
is more specific and should take precedence because of that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, now jwk-set-uri
has precedence.
… into auto-configuration-for-spring-security-oauth2-resource-server-by-oidc-issuer-location # Conflicts: # spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerProperties.java # spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwkConfiguration.java # spring-boot-project/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
@@ -44,4 +47,12 @@ public JwtDecoder jwtDecoder() { | |||
return new NimbusJwtDecoderJwkSupport(this.properties.getJwt().getJwkSetUri()); | |||
} | |||
|
|||
@Bean | |||
@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.oidc-issuer-location") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should make it explicit that jwk-set-uri
should take precedence by adding a custom condition that checks that spring.security.oauth2.resourceserver.jwt.oidc-issuer-location
is present and spring.security.oauth2.resourceserver.jwt.jwk-set-uri
is not present.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, I'll add custom condition
@@ -44,4 +49,12 @@ public JwtDecoder jwtDecoder() { | |||
return new NimbusJwtDecoderJwkSupport(this.properties.getJwt().getJwkSetUri()); | |||
} | |||
|
|||
@Bean | |||
@Conditional(OidcIssuerLocationCondition.class) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mbhave I've added custom condition.
* gh-14190: Polish "OIDC issuer uri in OAuth resource server config" Support OIDC issuer uri in OAuth resource server config
Thanks again, @ayudovin! This change is now on master along with this polish commit. I changed |
@mbhave , it makes sense. Thank you! |
adding auto-configuration for spring-security-oauth2-resource-server by oidc issuer location
this enhancement