Skip to content

Defer OIDC lookup until first use of the issuer location JwtDecoder #28122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jzheaux opened this issue Sep 23, 2021 · 1 comment
Closed

Defer OIDC lookup until first use of the issuer location JwtDecoder #28122

jzheaux opened this issue Sep 23, 2021 · 1 comment
Assignees
@spring-contributor
Labels
status: reserved-for-conference-event status: superseded An issue that has been superseded by another type: enhancement A general enhancement

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Sep 23, 2021

Spring Security 5.6 is shipping with a new JwtDecoder that defers the OIDC discovery lookups that normally happen during startup.

Users will be able to do, for example:

@Bean 
JwtDecoder jwtDecoder() {
    Supplier<JwtDecoder> jwtDecoder = () -> JwtDecoders.fromIssuerLocation("https://issuer/endpoint");
    return new SupplierJwtDecoder(jwtDecoder);
}

And the startup configuration won't be invoked until the app first calls JwtDecoder#decode.

Today, Spring Boot does something like the following when only an issuer-uri is provided:

@Bean 
JwtDecoder jwtDecoder() {
    return JwtDecoders.fromIssuerLocation("https://issuer/endpoint");
}

It would be nice if Spring Boot published the JwtDecoder as a SupplierJwtDecoder to provide a quicker and more resilient startup experience.

If there is a need for users to restore the previous eager-loading behavior, they can publish the bean themselves; however, a property may also be worth considering.
@jzheaux jzheaux changed the title OAuth2ResourceServerAutoConfiguration should publish a SupplierJwtDecoder instead of a NimbusJwtDecoder OAuth2ResourceServerAutoConfiguration should defer OIDC lookups by publishing a SupplierJwtDecoder instead of a NimbusJwtDecoder Sep 23, 2021
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 23, 2021
@wilkinsona wilkinsona changed the title OAuth2ResourceServerAutoConfiguration should defer OIDC lookups by publishing a SupplierJwtDecoder instead of a NimbusJwtDecoder Defer OIDC lookup until first use of the issuer location JwtDecoder Sep 23, 2021
@wilkinsona wilkinsona added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Sep 23, 2021
@wilkinsona wilkinsona added this to the 2.6.x milestone Sep 23, 2021
@Pooja199 Pooja199 mentioned this issue Oct 1, 2021
Closed
@mbhave
Copy link
Contributor

mbhave commented Oct 1, 2021

Closing in favor of PR #28169.

@mbhave mbhave closed this as completed Oct 1, 2021
@mbhave mbhave added the status: superseded An issue that has been superseded by another label Oct 1, 2021
@mbhave mbhave removed this from the 2.6.x milestone Oct 1, 2021
@jzheaux jzheaux mentioned this issue Oct 5, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spring-contributor spring-contributor

Labels
status: reserved-for-conference-event status: superseded An issue that has been superseded by another type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@wilkinsona @mbhave @jzheaux @spring-projects-issues @spring-contributor