I'm experiencing intermittent failures when starting my Spring Boot app because the JWKS retrieval times out.
I'd like to be able to configure the timeout somehow.
I had opened another issue with the Spring Boot project but they indicated it was more of an issue for Spring Security, specifically referencing this location:
https://github.com/spring-projects/spring-security/blob/ff47086d56d9aebeed4f12fca740c62ea4750378/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoders.java#L120
Comment From: sjohnr
Hi @hughpv, thanks for enhancement request. See gh-9991 for a similar issue relating to startup time and lazy initialization. Using the JwtDecoders class (triggered by the spring boot condition looking for spring.security.oauth2.resourceserver.jwt.issuer-uri) is a convenience which causes the request to be performed on startup to create a JwtDecoder. You can defer that request using spring.security.oauth2.resourceserver.jwt.jwk-set-uri which is also a convenience mechanism for providing a JwtDecoder which should solve the problem of startup failure. Or you can simply provide your own @Bean of type JwtDecoder. I recommend the latter, as it is fairly easy to provide your own using whatever mechanism you choose, as you are also in complete control of things like timeouts.
In summary, the recommendation would be to prefer providing your own @Bean of JwtDecoder, as that mechanism is much simpler than numerous configuration points within the framework. Does this recommendation address the issue for you without requiring changes to the framework?
Comment From: hughpv
Thanks @sjohnr, don't know why I didn't think to provide my own bean. I'll give that a shot and update with findings.
Comment From: sjohnr
Just a note for our future selves 😅 : This is covered in the OAuth 2.0 Resource Server section of the reference docs. The following sections have more info on these topics:
- Specifying the Authorization Server JWK Set Uri Directly
- Overriding or Replacing Boot Auto Configuration
Comment From: hughpv
I was able to implement my own bean and do the JWKS retrieval in a retry loop, which seems to have gotten me unstuck. Thanks for the suggestion!
Comment From: sjohnr
@hughpv that's great news! I'm going to close this issue for now, but thanks for the engagement and discussion, we're definitely going to keep an eye on this area. If you have other suggestions, feel free to comment here or open a new enhanacement.