Spring Security Add JwtValidatorBuilder

It would be nice to be able to more easily configure sophisticated validation chains using JwtValidators.

Currently, to create a validator that checks the issuer and the audience, one needs to do:

OAuth2TokenValidator<Jwt> issuer = JwtValidators.createValidatorWithIssuer(issuer);
OAuth2TokenValidator<Jwt> audience = jwt -> {
    if (jwt.hasClaim(AUD) && jwt.getAudience().contains("my-audience")) {
        return OAuth2TokenValidatorResult.success();
    } else {
        return OAuth2TokenValidatorResult.error(new OAuth2Error(code, description, uri));
   }
};
OAuth2TokenValidator<Jwt> jwtValidator = new DelegatingOAuth2TokenValidator<>
        (issuer, audience);

However, something like the following might be nicer:

OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.withIssuer(issuer)
        .hasAudience("my-audience")
        .build();

Such a builder would likely need methods for custom claims as well.

Comment From: zeeshanadnan

Hi @jzheaux, if no one is working on it i would like to take it.

Comment From: jzheaux

@zeeshanadnan Thanks for your interest! Given JwtClaimValidator, it makes me wonder if this ticket is still valuable.

For example, the code to do the above is now much simpler:

OAuth2TokenValidator<Jwt> issuer = JwtValidators.createValidatorWithIssuer(issuer);
OAuth2TokenValidator<Jwt> audience = new JwtClaimValidator
        (AUD, aud -> aud != null && aud.contains("my-audience"));
return new DelegatingOAuth2TokenValidator<>(issuer, audience);

For this to be a complete solution, there are also several things to decide, like what configuration options to expose for timestamps.

If you'd like to take some time to flesh out this issue to have some more detail, then maybe let's start there.

Comment From: zeeshanadnan

@jzheaux sure, no problem. When working on JwtClaimValidator i thought it would be better if there is a way to use them from JwtValidators. Something like this would still be useful for creating complex validation chains

JwtValidators.withIssuer(issuer)
             .withClaim(new JwtClaimValidator(AUD, aud -> aud != null && aud.contains("my-audience"))
             .withTimeStamp(clockSkew)
             .build();

Also methods for audience validator and default timestamp can be added. Nonetheless thanks for the clarification.

Comment From: zeeshanadnan

@jzheaux sorry for the noise. I did not go through the codebase so didn't have much insight. After second thoughts and going through the code and usage there would not be much added value with a builder. Static methods for custom claims could be added. But the api currently seems sufficient. Thanks.