Spring Security JwtDecoders and ReactiveJwtDecoders should determine algorithm from JWK Set Endpoint

JwtDecoder and ReactiveJwtDecoder could be improved by determining the JWS algorithm from the JWK Set endpoint.

This is something already supported in Nimbus via:

URL url = new URL("https://idp.example.org/.well-known/jwks.json");
JWSKeySelector selector = 
        JWSAlgorithmFamilyJWSKeySelector.fromJWKSetURL(url);

The result would be that on startup, the application would hit the JWK Set endpoint, inspect the kty field of the JWKs returned, and infer the algorithm or algorithms that the decoder should support accordingly. Perhaps this could be delayed, though, until the first request comes in.

If an application wants to skip this auto-configuration, it can easily do so by specifying using NimbusJwtDecoder directly:

String jwkSetUri = "https://idp.example.org/.well-known/jwks.json";
JwtDecoder decoder = NimbusJwtDecoder.fromJwkSetUri(jwkSetUri).build();

Care will need to be taken to ensure that this change is passive. For example, NimbusJwtDecoder selects RS256 by default. For those still picking the defaults, it'd be unfortunate if the algorithms selected by reading the JWKS response didn't include RS256.

Comment From: mkheck

Hey @jzheaux, I wouldn't mind taking a run at this. Please let me know your thoughts.

Comment From: mkheck

Hi @jzheaux, not sure what happened to my earlier comment, but I'd like to take this on if it makes sense to you. Please let me know.

Comment From: jzheaux

Yes, @mkheck, I think this would be a good fit. Forgive the delay - I've added some more detail to the description, which I wanted to confirm before handing it off.