Summary

Add resource server support for multiple trusted JWT access token issuers

Actual Behavior

Presently we can configure a resource server's trusted jwt token issuer like:

security.oauth2.resource.jwt.keyUri=... or security.oauth2.resource.jwk.keySetUri=...

Expected Behavior

I'd like to suggest supporting something like (switching to yml):

security:
  oauth2:
    resource:
      issuers:
        issuer1:
          keyUri: ...
          issuerClaim: ...
        issuer2:
          keySetUri: ...
        issuer3:
          keyValue: ...

Note the optional issuerClaim for verification against the 'iss' claim, optionally.

Comment From: jgrandja

The key question to ask the UAA team is the kid unique across identity zones?

Comment From: jgrandja

@jzheaux Has this been solved via #5351?

Comment From: jzheaux

@jgrandja good question - it's certainly possible via #5351 but it would not be very efficient. The resulting AuthenticationManagerResolver would need to parse the JWT and select the appropriate JwtAuthenticationManager instance accordingly, at which point it would be parsed again by the underlying JwtDecoder.

It seems to me that a JwtDecoder implementation may be better suited for this use case.

The AuthenticationManagerResolver is suitable for aspects of the request that are immediately obtainable, like a path, a header, or a subdomain.

Comment From: jzheaux

Fixed via de87675

Comment From: cadethacker

Sorry to comment on an older issue, but one point of confusion. The OP asked about defining multiple authorization services via the yaml/config. I spent a good bit of time coding up support by using the docs (very good BTW) and it works, but...

I still didn't see a clear answer in this issue on if the yaml/config support multiple authorization server by issuer yet as per the OP question. I know I can code it, but can I config it :D

EDIT: I found this documention but it only mentioned being able to define a single issuer in the yaml. Spring Boot 2.5.2 docs

Comment From: jzheaux

@cadethacker you are correct, YAML config is not supported for multiple issuers.

Comment From: cadethacker

huge thank you @jzheaux for the clarification. Is there a correct way to request this as a feature? I think this would be a great addition to Spring Security especially in the awesome work for the entire 5 series. I'm happy to hack on it, but no clue where to start. If you can give me a compass heading and a shove in the right direction.

Comment From: jzheaux

YAML configuration falls under the Spring Boot project, so you'd file an issue there.

That said, we usually try and reserve YAML to common use cases, and multi-tenancy for resource servers doesn't yet seem common enough. Moreover, multi-tenancy is often highly proprietary; I imagine that more often than not applications will need to use a bean anyway, e.g. so that they can load settings from a database.