Spring Security Locally-Configured Key Rotation

JWK sets are the premier way to support key rotation in Spring Security's OAuth 2.0 Resource Server.

However, not all Identity Providers support JWK.

Provide a way to configure Resource Server with more than one key so that when the key rotates, there is no loss of uptime. Ideally, this feature would also allow for refreshing local key sets without rebooting.

Comment From: jgrandja

@jzheaux I believe this can be closed?

Comment From: jzheaux

Applications that want to perform local key rotation can supply their own implementation of Nimbus's JWKSource:

@Bean 
JwtDecoder jwtDecoder() {
    JWKSource<SecurityContext> jwkSource = // ... your implementation
    ConfigurationJWTProcessor<SecurityContext> processor = new DefaultJWTProcessor<>();
    processor.setJWSKeySelector(new JWSVerificationKeySelector(alg, jwkSource));
    return new NimbusJwtDecoder(processor);
}