Skip to content

Defer OIDC lookup until first use of the issuer location JwtDecoder #28122

New issue
New issue
Closed
Closed
Defer OIDC lookup until first use of the issuer location JwtDecoder#28122
Assignees
spring-contributor
Labels
status: reserved-for-conference-eventstatus: supersededAn issue that has been superseded by anothertype: enhancementA general enhancement
@jzheaux

Description

@jzheaux
jzheaux
opened on Sep 23, 2021

Spring Security 5.6 is shipping with a new JwtDecoder that defers the OIDC discovery lookups that normally happen during startup.

Users will be able to do, for example:

@Bean 
JwtDecoder jwtDecoder() {
    Supplier<JwtDecoder> jwtDecoder = () -> JwtDecoders.fromIssuerLocation("https://issuer/endpoint");
    return new SupplierJwtDecoder(jwtDecoder);
}

And the startup configuration won't be invoked until the app first calls JwtDecoder#decode.

Today, Spring Boot does something like the following when only an issuer-uri is provided:

@Bean 
JwtDecoder jwtDecoder() {
    return JwtDecoders.fromIssuerLocation("https://issuer/endpoint");
}

It would be nice if Spring Boot published the JwtDecoder as a SupplierJwtDecoder to provide a quicker and more resilient startup experience.

If there is a need for users to restore the previous eager-loading behavior, they can publish the bean themselves; however, a property may also be worth considering.

Metadata

Metadata

Assignees

Labels

status: reserved-for-conference-eventstatus: supersededAn issue that has been superseded by anothertype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions