SpringBoot Verification of iss claim in OAuth2 resource server

Background

I'm using Spring Boot 2.3.12_RELEASE and using Spring Boot OAuth2 Resource Server I think that, reading also this doc I'll have the default verification of iss claim for my JWT token

Current situation

If I specify this property

spring:
   security:
      oauth2:
         resourceserver:
            jwt:
               issuer-uri: https://idp.example.com
               jwk-set-uri: https://myserver/api/jwks/jwks.json

and configure the security in that way

    @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
    private String jwkSetUri;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
          .authorizeRequests(authz -> authz
              .anyRequest().authenticated())
          .oauth2ResourceServer().jwt().decoder(jwtDecoder());
    }

    @Bean
    public JwtDecoder jwtDecoder() throws KeySourceException, MalformedURLException {
        JWSKeySelector<SecurityContext> jwsKeySelector= 
                JWSAlgorithmFamilyJWSKeySelector.fromJWKSetURL(new URL(this.jwkSetUri));

        DefaultJWTProcessor<SecurityContext> jwtProcessor =
                new DefaultJWTProcessor<>();
        jwtProcessor.setJWSKeySelector(jwsKeySelector);

        return new NimbusJwtDecoder(jwtProcessor);
    }

The authentication works even if the field iss isn't the same specified in the issuer-uri.

Requirement

I suppose there is a problem in the documentation or in the implementation that doesn't verify what documentation says

Comment From: wilkinsona

Thanks for the report but Spring Boot 2.3.x has reached the end of its OSS support period and Spring Boot OAuth2 Resource Server is managed as a separate project.