Expected Behavior

I want to be able to configure the timeout in the RemoteJWKSet used in JwtDecoders.

Current Behavior

The timeout is set to 500 ms by default and is not configurable.

Context

I'm having timeout issues when retrieving the JWK set in version 5.5.2. The RemoteJWKSet instantiated in the JwtDecoders.withProviderConfiguration() method uses the default ResourceRetriever that has timeout of 500 ms, which is not enough for me. I'm not sure what's the best way to approach this, as these are static builders.

Caused by: java.lang.IllegalStateException: com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Connect timed out at spring.security.oauth2.jose@5.5.2/org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getSignatureAlgorithms(JwtDecoderProviderConfigurationUtils.java:107) ~[spring-security-oauth2-jose-5.5.2.jar:na] at spring.security.oauth2.jose@5.5.2/org.springframework.security.oauth2.jwt.JwtDecoders.withProviderConfiguration(JwtDecoders.java:122) ~[spring-security-oauth2-jose-5.5.2.jar:na] at spring.security.oauth2.jose@5.5.2/org.springframework.security.oauth2.jwt.JwtDecoders.fromOidcIssuerLocation(JwtDecoders.java:66) ~[spring-security-oauth2-jose-5.5.2.jar:na] at com.urbanise.marketplace.core.configuration.SecurityConfiguration.jwtDecoder(SecurityConfiguration.java:45) ~[main/:na] at com.urbanise.marketplace.core.configuration.SecurityConfiguration$$EnhancerBySpringCGLIB$$77574937.CGLIB$jwtDecoder$1() ~[main/:na] at com.urbanise.marketplace.core.configuration.SecurityConfiguration$$EnhancerBySpringCGLIB$$77574937$$FastClassBySpringCGLIB$$3a88077a.invoke() ~[main/:na] at spring.core@5.3.10/org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:244) ~[spring-core-5.3.10.jar:na] at spring.context@5.3.10/org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:331) ~[spring-context-5.3.10.jar:na] at com.urbanise.marketplace.core.configuration.SecurityConfiguration$$EnhancerBySpringCGLIB$$77574937.jwtDecoder() ~[main/:na] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78) ~[na:na] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na] at java.base/java.lang.reflect.Method.invoke(Method.java:567) ~[na:na] at spring.beans@5.3.10/org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:154) ~[spring-beans-5.3.10.jar:na] ... 56 common frames omitted Caused by: com.nimbusds.jose.RemoteKeySourceException: Couldn't retrieve remote JWK set: Connect timed out at com.nimbusds.jose.jwt@9.10.1/com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:167) ~[nimbus-jose-jwt-9.10.1.jar:na] at com.nimbusds.jose.jwt@9.10.1/com.nimbusds.jose.jwk.source.RemoteJWKSet.get(RemoteJWKSet.java:260) ~[nimbus-jose-jwt-9.10.1.jar:na] at spring.security.oauth2.jose@5.5.2/org.springframework.security.oauth2.jwt.JwtDecoderProviderConfigurationUtils.getSignatureAlgorithms(JwtDecoderProviderConfigurationUtils.java:90) ~[spring-security-oauth2-jose-5.5.2.jar:na] ... 69 common frames omitted Caused by: java.net.SocketTimeoutException: Connect timed out at java.base/sun.nio.ch.NioSocketImpl.timedFinishConnect(NioSocketImpl.java:546) ~[na:na] at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:597) ~[na:na] at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:333) ~[na:na] at java.base/java.net.Socket.connect(Socket.java:645) ~[na:na] at java.base/sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:300) ~[na:na] at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:177) ~[na:na] at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:497) ~[na:na] at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:600) ~[na:na] at java.base/sun.net.www.protocol.https.HttpsClient.(HttpsClient.java:265) ~[na:na] at java.base/sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:379) ~[na:na] at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:189) ~[na:na] at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1232) ~[na:na] at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1120) ~[na:na] at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:175) ~[na:na] at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1653) ~[na:na] at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1577) ~[na:na] at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224) ~[na:na] at com.nimbusds.jose.jwt@9.10.1/com.nimbusds.jose.util.DefaultResourceRetriever.getInputStream(DefaultResourceRetriever.java:305) ~[nimbus-jose-jwt-9.10.1.jar:na] at com.nimbusds.jose.jwt@9.10.1/com.nimbusds.jose.util.DefaultResourceRetriever.retrieveResource(DefaultResourceRetriever.java:257) ~[nimbus-jose-jwt-9.10.1.jar:na] at com.nimbusds.jose.jwt@9.10.1/com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:165) ~[nimbus-jose-jwt-9.10.1.jar:na] ... 71 common frames omitted

Comment From: petrovpet

I resolved the issue by creating a new NimbusJwtDecoder and basically copying a couple of methods from JwtDecoderProviderConfigurationUtils and JwtDecoders, but I guess this can be done a bit more flexible.

Comment From: jzheaux

This is covered in the Spring Security reference.

In the future, it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. If the above link doesn't answer your question, please ask a new question on StackOverflow and feel free to update this issue with a link to the re-posted question (so that other people can find it).

Comment From: andreas-trvlk

I think the issue here is about RemoteJWKSet, not NimbusJwtDecoder. Doing https://docs.spring.io/spring-security/site/docs/5.2.12.RELEASE/reference/html/oauth2.html#oauth2resourceserver-jwt-timeouts is only for NimbusJwtDecoder.