JwkSetUriJwtDecoderBuilder allows customizing the restOperations that is used to make calls to the authorization server. However, when using an issuerUri, using JwtDecoders.fromIssuerLocation, this customization doesn't look like it's possible. This issue in Spring Boot is the original issue for enabling these sort of customizations.
Comment From: jgrandja
@mbhave We have a similar issue with ClientRegistrations as we do with JwtDecoders. The following tickets are all related #7027 #7391 #5607. We're planning on addressing this for 5.4.
Comment From: 20fps
The same issue will be present also for Cache added here:
https://github.com/spring-projects/spring-security/pull/8332
Comment From: jzheaux
It might be better to introduce NimbusJwtDecoder#withIssuerUri so that applications have full access to the builder. One could then do:
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder
.withIssuerUri(issuerUri)
.restOperations(rest)
.build();
jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuerUri));
And the builder would use that RestOperations to both query the discovery endpoint on startup and the JWKs endpoint when verifying JWTs.
There may also be value in JwtDecoders having a configurable RestOperations as well, but I think it's important to keep in mind that it's a convenience class and shouldn't expose every feature of the Nimbus builder.
Comment From: jgrandja
This issue is related to #7027. A proposed solution is provided in this comment.
A similar solution could be implemented to address this issue, specifically for JwtDecoders and ReactiveJwtDecoders.
Comment From: jgrandja
Closing in favour of #8882. Please see JwtDecoders and provide any additional feedback there.