Spring Security Provide ability to customize claims in Jwt Client Assertion

Currently spring security OAuth 2.0 client use provider details token uri as value for JWT aud claim of the assertion in OAuth 2.0 Client Authentication.

rfc 7523 say :

The token endpoint URL of the authorization server MAY be used as a value for an "aud" element to identify the authorization server as an intended audience of the JWT.

Rfc say may, not must. I would like to be able to use another value (I have to call a oauth 2 server that require a value different from the token url).

Current spring security behavior is provided by NimbusJwtClientAuthenticationParametersConverter. Overriding it’s behavior requires to copy/paste hundreds of lines as it’s a final class and it use many package-private classes.

Related gh-9208

Comment From: jgrandja

@christophejan We are looking to merge gh-9208 for 5.6, which is needed before we can allow customization of the Jwt client assertion.

Comment From: jgrandja

@sjohnr This is what I'm thinking for the customization hook:

public final class NimbusJwtClientAuthenticationParametersConverter<T extends AbstractOAuth2AuthorizationGrantRequest>
        implements Converter<T, MultiValueMap<String, String>> {

...

    public void setJwtClientAssertionCustomizer(Consumer<JwtClientAuthenticationContext<T>> jwtClientAssertionCustomizer) {

    }

    public static final class JwtClientAuthenticationContext<T> {

        T getAuthorizationGrantRequest() {

        }

        JwsHeader.Builder getHeaders() {

        }

        JwtClaimsSet.Builder getClaims() {

        }

    }

...

Use this as a starting point and see how it turns out. Thanks!

Comment From: jgrandja

@christophejan @marcerik @iamlothian @chenrujun

We just merged support for customizing headers/claims in the JWT Client Assertion in gh-10972. Please give it a try when you have a chance and any feedback would be greatly appreciated.