I would really like to see the ability to add your own custom ResourceRetriever to NimbusJwtDecoder. For example, I would like to be able to implement fault-tolerant ResourceRetriever:
public final class FaultTolerantResourceRetriever implements ResourceRetriever {
private final RestOperationsResourceRetriever resourceRetriever;
public CustomResourceRetriever(RestOperations restOperations) {
this.resourceRetriever = new RestOperationsResourceRetriever(restOperations);
}
@Override
@CircuitBreaker
public Resource retrieveResource(URL url) throws IOException {
return resourceRetriever.retrieveResource(url);
}
}
Then:
NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder builder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI)
.resourceRetriever(new FaultTolerantResourceRetriever(new RestTemplate()))
.build();
It seems that I can't do this with jwtProcessorCustomizer.
Comment From: jzheaux
Hi, @CrazyParanoid. Have you already tried something like this:
@Bean
JwtDecoder jwtDecoder(ResourceRetriever yours) {
JWKSource<SecurityContext> source = JWKSourceBuilder.create(url, yours);
JWSKeySelector<SecurityContext> selector = new JWSVerificationKeySelector<>(JWSAlgorithm.RS256, source);
return NimbusJwtDecoder.withJwkSetUri(uri)
.jwtProcessorCustomizer((jwtProcessor) -> jwtProcessor.setJWSKeySelector(selector))
.build();
}
Comment From: franticticktick
Thanks @jzheaux, this solution suits me. It would be nice if RestOperationsResourceRetriever became part of the public API of spring security.
Comment From: jzheaux
Thanks for the suggestion, @CrazyParanoid; I see where you are coming from.
Spring Security doesn't typically publish implementations of third-party interfaces as public APIs, given that we don't have very much control over their lifecycle. As such, I'd recommend you file a ticket with Nimbus to see about their willingness to add Spring components and then contribute RestOperationsResourceRetriever there if it seems like a fit.