auto-configuration for spring-security-oauth2-resource-server by oidc issuer location #14190
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
| return new NimbusJwtDecoderJwkSupport( | ||
| this.properties.getJwt().getJwk().getSetUri()); | ||
| } | ||
|
|
||
| @Bean | ||
| @ConditionalOnProperty(name = "spring.security.oauth2.resource.jwt.jwk.oidc-issuer-location") |
There was a problem hiding this comment.
The property should not use the jwk group as this configuration isn't related to it. The property should be more like:
spring.security.oauth2.resource.jwt.oidc-issuer-location
There was a problem hiding this comment.
yeah, it's my mistake, I've fixed it
| .withClassLoader(new FilteredClassLoader(JwtAuthenticationToken.class)) | ||
| .run((context) -> assertThat(getBearerTokenFilter(context)).isNull()); | ||
| } | ||
|
|
There was a problem hiding this comment.
The other option is to fail hard if both are specified.
There was a problem hiding this comment.
From my point of view the second option will be better but now jwk-set-uri wins.
I have added test for checking it.
There was a problem hiding this comment.
I think that jwk-set-uri should win because it is more specific.
There was a problem hiding this comment.
Agreed that jwk-set-uri is more specific and should take precedence because of that.
There was a problem hiding this comment.
ok, now jwk-set-uri has precedence.
… into auto-configuration-for-spring-security-oauth2-resource-server-by-oidc-issuer-location # Conflicts: # spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerProperties.java # spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwkConfiguration.java # spring-boot-project/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
| @@ -44,4 +47,12 @@ public JwtDecoder jwtDecoder() { | |||
| return new NimbusJwtDecoderJwkSupport(this.properties.getJwt().getJwkSetUri()); | |||
| } | |||
|
|
|||
| @Bean | |||
| @ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.oidc-issuer-location") | |||
There was a problem hiding this comment.
I think we should make it explicit that jwk-set-uri should take precedence by adding a custom condition that checks that spring.security.oauth2.resourceserver.jwt.oidc-issuer-location is present and spring.security.oauth2.resourceserver.jwt.jwk-set-uri is not present.
There was a problem hiding this comment.
ok, I'll add custom condition
| @@ -44,4 +49,12 @@ public JwtDecoder jwtDecoder() { | |||
| return new NimbusJwtDecoderJwkSupport(this.properties.getJwt().getJwkSetUri()); | |||
| } | |||
|
|
|||
| @Bean | |||
| @Conditional(OidcIssuerLocationCondition.class) | |||
There was a problem hiding this comment.
@mbhave I've added custom condition.
mbhave
added
type: enhancement
* gh-14190: Polish "OIDC issuer uri in OAuth resource server config" Support OIDC issuer uri in OAuth resource server config
|
Thanks again, @ayudovin! This change is now on master along with this polish commit. I changed |
|
@mbhave , it makes sense. Thank you! |
adding auto-configuration for spring-security-oauth2-resource-server by oidc issuer location
this enhancement