JwtIssuerAuthenticationManagerResolver should not resolve the bearer token #9186
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
type: enhancement
A general enhancement
Milestone
Current Behavior
Each of
JwtIssuerAuthenticationManagerResolver
andJwtIssuerReactiveAuthenticationManagerResolver
uses eitherBearerTokenResolver
orServerBearerTokenAuthenticationConverter
, respectfully, to resolve the bearer token from theHttpServletRequest
orServerWebExchange
.This has the downsides that, first, the bearer token is resolved from the request multiple times - once by
BearerTokenAuthenticationFilter
and again by the resolver - and second, it creates the need to expose theBearerTokenResolver
when it is being customized in other places in the application.Expected Behavior
Since
JwtIssuerAuthenticationManagerResolver
's role is to resolve anAuthenticationManager
, it should just return anAuthenticationManager
that reads the already-resolved token from aBearerTokenAuthenticationToken
.The same is true for
JwtIssuerReactiveAuthenticationManagerResolver
.Making this change will make these authentication manager resolvers more widely usable since it will remove their dependency on
BearerTokenResolver
andServerBearerTokenAuthenticationConverter
.The text was updated successfully, but these errors were encountered: