Spring Security Be able to configure RestTemplate of OidcIdTokenDecoderFactory

Expected Behavior

In our daily deployment our services are behind http proxy servers.

Due to this, we are not able to use the open id connect feature in spring-security-oauth2 because OidcIdTokenDecoderFactory does not allow to customize the restOperations used.

Like the customizer of oauth2Login, it will be great to be able to set a restOperation in the OidcIdTokenDecoderFactory in order to use it in the private method org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory#buildDecoder when NimbusJwtDecoder builder is used.

Allowing this we will able to create our own managed bean for JWT decoder that can be used by a WebSecurityConfigurerAdapter

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .oauth2Login(customizer -> {
                                .......
                });
    }

Current Behavior

No rest template customization is available and we are not able to use spring security in order to validate JWT token.

Comment From: jzheaux

Hi, @H3llK33p3r, do you have multiple client registrations? If not, you can do:

@Bean 
JwtDecoderFactory<ClientRegistration> jwtDecoderFactory() {
    JwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri)
            .restOperations(restOperations).build();
    return (clientRegistration) -> jwtDecoder;
}

Or, if you are multi-tenant, then you can instead do something like the following:

@Component
public class MyJwtDecoderFactory implements JwtDecoderFactory<ClientRegistration> {
    private final Map<String, JwtDecoder> jwtDecoders = new ConcurrentHashMap<>();

    @Override 
    public JwtDecoder createDecoder(ClientRegistration clientRegistration) {
        return this.jwtDecoders.computeIfAbsent(clientRegistration.getRegistrationId(),
                (r) -> NimbusJwtDecoder
                        .withJwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri())
                        .restOperations(restOperations)
                        .build();
    }
}

Would either of those work for your situation?

Either way, if you still feel that the RestOperations should be exposed, please feel free to share your thoughts on https://github.com/spring-projects/spring-security/issues/8882. That ticket seems to be the one where something like this would be addressed.

Comment From: H3llK33p3r

Ok I will keep an eye on the #8882, Sure I can add on my side the JwtDecoderFactory, but when I was talking about to configure or extends the OidcIdTokenDecoderFactory it's because this class perform additional checkes on the configuration consistency.

Thank you for your previous comment.

Comment From: bodewig

I opened #10512 and a PR because I didn't see this issue before. Please let me support @H3llK33p3r's case. OidcIdTokenDecoderFactory does a bit more than just creating a NimbusDecoder. Your code examples lack setting the claimSetConverter for example.

Comment From: jgrandja

@H3llK33p3r FYI, see comment