Expected Behavior
Allow creating OIDC id token decoder outside of OidcIdTokenDecoderFactory without regrading the registration id.
Current Behavior
Today the current implementation forces you to use OidcIdTokenDecoderFactory in order to create JwtDecoder that decodes OIDC id token.
if we will supply two different ClientRegistration with the same registration ID, the implementation will return us JwtDecoder that suites only one of the two(because of the use of the JWT decoders map).
Context
In our application, we want to allow users to supply their own client id and client secret in order to authenticate their clients in our application.
In order to keep things simple for our users and for our DB modeling, we want to use the same client registration ID for different provides(okta, google, etc) and we can differentiate between the users by other identifiers. we successfully loaded different ClientRegistration using our own implementation of ClientRegistrationRepository.
but once we are trying to decode the id token returned to us we notice that OidcIdTokenDecoderFactory limiting us by allowing one decoder per registration ID.
we implemented our own JwtDecoderFactory<ClientRegistration> in order to override that problem, but we still want to be compliant with OIDC specs of decoding the ID token, but that implementation is coupled with default OidcIdTokenDecoderFactory(see org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory#buildDecoder), which is forcing us to copy-paste the implementation inside the OidcIdTokenDecoderFactory or create OidcIdTokenDecoderFactory instance on each createDecoder in our custom implementation in order to create decoders that compliant with OIDC specs.
Comment From: jgrandja
@OrGivati Regarding your implementation of ClientRegistrationRepository:
we want to use the same client registration ID for different provides(okta, google, etc) and we can differentiate between the users by other identifiers
The ClientRegistration.registrationId is intended (by design) to be unique within a ClientRegistrationRepository and the application itself. The API is designed as such:
public interface ClientRegistrationRepository {
ClientRegistration findByRegistrationId(String registrationId);
}
ClientRegistration.registrationId is also meant to identify a client registration within a provider and NOT meant to identify the provider itself:
we want to use the same client registration ID for different provides(okta, google, etc)
if we will supply two different ClientRegistration with the same registration ID
I do not recommend using non-unique ClientRegistration.registrationId within your application as this will have adverse affects at runtime. You see it with OidcIdTokenDecoderFactory and likely more issues will arise.
Could you not assign a GUID to ClientRegistration.registrationId for each registration? This will resolve the issue you are having.
I'm going to close this as OidcIdTokenDecoderFactory works-as-designed.