Expected Behavior Support for configuring multiple jwk-set-uri's in the Spring configuration file like so:
spring:
security:
oauth2:
resourceservers:
server1:
jwt:
jwk-set-uri: sever-A.com/jwks.json
server2:
jwt:
jwk-set-uri: sever-B.com/jwks.json
server3:
jwt:
jwk-set-uri: sever-C.com/jwks.json
Currently there is a workaround posted by jzheaux here. It looks like this:
@Bean
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver() {
Map<String, JwtDecoder> decoders = Map.of(
"https://s1.host.name", decoder("original.jwks.server:8080/.well-known/jwks.json"),
"https://s2.host.name", decoder("new.jwks.server:8080/.well-known/jwks.json"));
return new JwtIssuerAuthenticationManagerResolver(decoders::get);
}
JwtDecoder decoder(String jwkSetUri) {
return NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
}
However, this solution will soon stop working because it is deprecated is likely to be removed in 3.3.x
I noticed more people are seeking this functionality. In a complex enterprise microarchitecture environment, it is likely to receive traffic from multiple sources. These microservices often expose /jwks endpoints that the receiving party should fetch. This means Spring Security should be able to fetch multiple jwks uri's.
Can we have this enhancement implemented or can we get a workaround that will work with Spring Boot 3.3.x?
Comment From: jzheaux
Thanks for the update. Let's please keep the discussion about Boot properties on https://github.com/spring-projects/spring-boot/issues/30108 so that all the comments are collected in the same place.