Spring Security Allow overriding the web client resolver used for ReactiveJwtDecoders.fromIssuerLocation()

For non-reactive applications just setting

security.oauth2.resourceserver.jwt.issuer-uri: http://some.non.public.host/some-path

works fine (for example when doing integration tests on Kubernetes cluster with non-public DNS).

With reactive this fails with java.lang.IllegalStateException: Could not obtain the keys [...] because the hostname can't be resolved over public DNS and is not in /etc/hosts.

I currently do not see any way to get this working for non-public hosts because there's no way to customize the web client used for ReactiveJwtDecoders.fromIssuerLocation().

So currently, this only leaves the work-around of also setting jwk-set-uri when using non-public hosts:

@Bean
ReactiveJwtDecoder jwtDecoder(JwtConfig config) {
    var nimbusReactiveJwtDecoder = NimbusReactiveJwtDecoder
        .withJwkSetUri(config.jwkSetUri)
        .jwsAlgorithm(SignatureAlgorithm.from(config.jwsAlgorithm))
        .webClient(WebClient.builder()
            .clientConnector(new ReactorClientHttpConnector(HttpClient.create()
                .resolver(DefaultAddressResolverGroup.INSTANCE)))
            .build())
        .build();
    if (config.issuerUri != null) {
        nimbusReactiveJwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(config.issuerUri));
    }
    return nimbusReactiveJwtDecoder;
}

@ConfigurationProperties(prefix = "spring.security.oauth2.resourceserver.jwt")
record JwtConfig(String jwkSetUri, @DefaultValue("RS256") String jwsAlgorithm, String issuerUri) {}

This changes the semantics however. IMHO the web client used for issuer-uri should be configurable.

Comment From: jkreileder

My bad, this is actually caused by https://github.com/netty/netty/issues/12097. It works like expected with more dots.