Skip to content

Defer OIDC lookup until first use of the issuer location JwtDecoder #28169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

Defer OIDC lookup until first use of the issuer location JwtDecoder #28169

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
7d2947d
JwtSupplierDecoder Uri Issuer return Supplier
Pooja199 Oct 1, 2021
c4be1e8
remove config
Pooja199 Oct 1, 2021
0d6e69a
Return JwtSupplierDecoder when jwt issuer uri bean is instantiated
Pooja199 Oct 1, 2021
4f5ca22
Reactive supplier changes
Pooja199 Oct 2, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions ...igure/security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerJwkConfiguration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoders;
import org.springframework.security.oauth2.jwt.SupplierReactiveJwtDecoder;
import org.springframework.security.web.server.SecurityWebFilterChain;

/**
Expand Down Expand Up @@ -91,8 +92,8 @@ private byte[] getKeySpec(String keyValue) {

@Bean
@Conditional(IssuerUriCondition.class)
ReactiveJwtDecoder jwtDecoderByIssuerUri() {
return ReactiveJwtDecoders.fromIssuerLocation(this.properties.getIssuerUri());
SupplierReactiveJwtDecoder jwtDecoderByIssuerUri() {
return new SupplierReactiveJwtDecoder(() -> ReactiveJwtDecoders.fromIssuerLocation(this.properties.getIssuerUri()));
}

}
Expand Down
5 changes: 3 additions & 2 deletions .../autoconfigure/security/oauth2/resource/servlet/OAuth2ResourceServerJwtConfiguration.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.jwt.JwtValidators;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.jwt.SupplierJwtDecoder;
import org.springframework.security.web.SecurityFilterChain;

/**
Expand Down Expand Up @@ -91,8 +92,8 @@ private byte[] getKeySpec(String keyValue) {

@Bean
@Conditional(IssuerUriCondition.class)
JwtDecoder jwtDecoderByIssuerUri() {
return JwtDecoders.fromIssuerLocation(this.properties.getIssuerUri());
SupplierJwtDecoder jwtDecoderByIssuerUri() {
return new SupplierJwtDecoder(() -> JwtDecoders.fromIssuerLocation(this.properties.getIssuerUri()));
}

}
Expand Down
30 changes: 23 additions & 7 deletions ...security/oauth2/resource/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Stream;

import com.fasterxml.jackson.core.JsonProcessingException;
Expand All @@ -31,6 +32,7 @@
import okhttp3.mockwebserver.MockWebServer;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Test;
import reactor.core.publisher.Mono;

import org.springframework.boot.autoconfigure.AutoConfigurations;
import org.springframework.boot.test.context.FilteredClassLoader;
Expand All @@ -49,9 +51,11 @@
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.ReactiveJwtDecoder;
import org.springframework.security.oauth2.jwt.SupplierReactiveJwtDecoder;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtReactiveAuthenticationManager;
import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenReactiveAuthenticationManager;
Expand Down Expand Up @@ -129,6 +133,7 @@ void autoConfigurationUsingPublicKeyValueShouldConfigureResourceServerUsingJwsAl
}

@Test
@SuppressWarnings("unchecked")
void autoConfigurationShouldConfigureResourceServerUsingOidcIssuerUri() throws IOException {
this.server = new MockWebServer();
this.server.start();
Expand All @@ -138,15 +143,19 @@ void autoConfigurationShouldConfigureResourceServerUsingOidcIssuerUri() throws I
setupMockResponse(cleanIssuerPath);
this.contextRunner.withPropertyValues("spring.security.oauth2.resourceserver.jwt.issuer-uri=http://"
+ this.server.getHostName() + ":" + this.server.getPort() + "/" + path).run((context) -> {
assertThat(context).hasSingleBean(NimbusReactiveJwtDecoder.class);
assertThat(context).hasSingleBean(SupplierReactiveJwtDecoder.class);
assertFilterConfiguredWithJwtAuthenticationManager(context);
assertThat(context.containsBean("jwtDecoderByIssuerUri")).isTrue();
SupplierReactiveJwtDecoder supplierReactiveJwtDecoder = context.getBean(SupplierReactiveJwtDecoder.class);
Mono<ReactiveJwtDecoder> reactiveJwtDecoderSupplier = (Mono<ReactiveJwtDecoder>) ReflectionTestUtils.getField(supplierReactiveJwtDecoder, "jwtDecoderMono");
ReactiveJwtDecoder reactiveJwtDecoder = reactiveJwtDecoderSupplier.block();
});
// The last request is to the JWK Set endpoint to look up the algorithm
assertThat(this.server.getRequestCount()).isEqualTo(2);
assertThat(this.server.getRequestCount()).isEqualTo(1);
}

@Test
@SuppressWarnings("unchecked")
void autoConfigurationShouldConfigureResourceServerUsingOidcRfc8414IssuerUri() throws Exception {
this.server = new MockWebServer();
this.server.start();
Expand All @@ -155,15 +164,19 @@ void autoConfigurationShouldConfigureResourceServerUsingOidcRfc8414IssuerUri() t
setupMockResponsesWithErrors(cleanIssuerPath, 1);
this.contextRunner.withPropertyValues("spring.security.oauth2.resourceserver.jwt.issuer-uri=http://"
+ this.server.getHostName() + ":" + this.server.getPort()).run((context) -> {
assertThat(context).hasSingleBean(NimbusReactiveJwtDecoder.class);
assertThat(context).hasSingleBean(SupplierReactiveJwtDecoder.class);
assertFilterConfiguredWithJwtAuthenticationManager(context);
assertThat(context.containsBean("jwtDecoderByIssuerUri")).isTrue();
SupplierReactiveJwtDecoder supplierReactiveJwtDecoder = context.getBean(SupplierReactiveJwtDecoder.class);
Mono<ReactiveJwtDecoder> reactiveJwtDecoderSupplier = (Mono<ReactiveJwtDecoder>) ReflectionTestUtils.getField(supplierReactiveJwtDecoder, "jwtDecoderMono");
ReactiveJwtDecoder reactiveJwtDecoder = reactiveJwtDecoderSupplier.block();
});
// The last request is to the JWK Set endpoint to look up the algorithm
assertThat(this.server.getRequestCount()).isEqualTo(3);
assertThat(this.server.getRequestCount()).isEqualTo(2);
}

@Test
@SuppressWarnings("unchecked")
void autoConfigurationShouldConfigureResourceServerUsingOAuthIssuerUri() throws Exception {
this.server = new MockWebServer();
this.server.start();
Expand All @@ -172,12 +185,15 @@ void autoConfigurationShouldConfigureResourceServerUsingOAuthIssuerUri() throws
setupMockResponsesWithErrors(cleanIssuerPath, 2);
this.contextRunner.withPropertyValues("spring.security.oauth2.resourceserver.jwt.issuer-uri=http://"
+ this.server.getHostName() + ":" + this.server.getPort()).run((context) -> {
assertThat(context).hasSingleBean(NimbusReactiveJwtDecoder.class);
assertThat(context).hasSingleBean(SupplierReactiveJwtDecoder.class);
assertFilterConfiguredWithJwtAuthenticationManager(context);
assertThat(context.containsBean("jwtDecoderByIssuerUri")).isTrue();
SupplierReactiveJwtDecoder supplierReactiveJwtDecoder = context.getBean(SupplierReactiveJwtDecoder.class);
Mono<ReactiveJwtDecoder> reactiveJwtDecoderSupplier = (Mono<ReactiveJwtDecoder>) ReflectionTestUtils.getField(supplierReactiveJwtDecoder, "jwtDecoderMono");
ReactiveJwtDecoder reactiveJwtDecoder = reactiveJwtDecoderSupplier.block();
});
// The last request is to the JWK Set endpoint to look up the algorithm
assertThat(this.server.getRequestCount()).isEqualTo(4);
assertThat(this.server.getRequestCount()).isEqualTo(3);
}

@Test
Expand Down Expand Up @@ -228,7 +244,7 @@ void autoConfigurationWhenKeyLocationAndIssuerUriPresentShouldUseIssuerUri() thr
+ this.server.getPort(),
"spring.security.oauth2.resourceserver.jwt.public-key-location=classpath:public-key-location")
.run((context) -> {
assertThat(context).hasSingleBean(NimbusReactiveJwtDecoder.class);
assertThat(context).hasSingleBean(SupplierReactiveJwtDecoder.class);
assertFilterConfiguredWithJwtAuthenticationManager(context);
assertThat(context.containsBean("jwtDecoderByIssuerUri")).isTrue();
});
Expand Down
24 changes: 21 additions & 3 deletions ...onfigure/security/oauth2/resource/servlet/OAuth2ResourceServerAutoConfigurationTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.function.Supplier;

import javax.servlet.Filter;

Expand Down Expand Up @@ -49,6 +50,7 @@
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
import org.springframework.security.oauth2.jwt.SupplierJwtDecoder;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
Expand Down Expand Up @@ -127,6 +129,7 @@ void autoConfigurationShouldConfigureResourceServerWithJwsAlgorithm() {
}

@Test
@SuppressWarnings("unchecked")
void autoConfigurationShouldConfigureResourceServerUsingOidcIssuerUri() throws Exception {
this.server = new MockWebServer();
this.server.start();
Expand All @@ -136,14 +139,19 @@ void autoConfigurationShouldConfigureResourceServerUsingOidcIssuerUri() throws E
setupMockResponse(cleanIssuerPath);
this.contextRunner.withPropertyValues("spring.security.oauth2.resourceserver.jwt.issuer-uri=http://"
+ this.server.getHostName() + ":" + this.server.getPort() + "/" + path).run((context) -> {
assertThat(context).hasSingleBean(JwtDecoder.class);
assertThat(context).hasSingleBean(SupplierJwtDecoder.class);
assertThat(context.containsBean("jwtDecoderByIssuerUri")).isTrue();
SupplierJwtDecoder supplierJwtDecoderBean = context.getBean(SupplierJwtDecoder.class);
Supplier<JwtDecoder> jwtDecoderSupplier = (Supplier<JwtDecoder>) ReflectionTestUtils
.getField(supplierJwtDecoderBean, "jwtDecoderSupplier");
JwtDecoder jwtDecoder = jwtDecoderSupplier.get();
});
// The last request is to the JWK Set endpoint to look up the algorithm
assertThat(this.server.getRequestCount()).isEqualTo(2);
}

@Test
@SuppressWarnings("unchecked")
void autoConfigurationShouldConfigureResourceServerUsingOidcRfc8414IssuerUri() throws Exception {
this.server = new MockWebServer();
this.server.start();
Expand All @@ -153,25 +161,35 @@ void autoConfigurationShouldConfigureResourceServerUsingOidcRfc8414IssuerUri() t
setupMockResponsesWithErrors(cleanIssuerPath, 1);
this.contextRunner.withPropertyValues("spring.security.oauth2.resourceserver.jwt.issuer-uri=http://"
+ this.server.getHostName() + ":" + this.server.getPort() + "/" + path).run((context) -> {
assertThat(context).hasSingleBean(JwtDecoder.class);
assertThat(context).hasSingleBean(SupplierJwtDecoder.class);
assertThat(context.containsBean("jwtDecoderByIssuerUri")).isTrue();
SupplierJwtDecoder supplierJwtDecoderBean = context.getBean(SupplierJwtDecoder.class);
Supplier<JwtDecoder> jwtDecoderSupplier = (Supplier<JwtDecoder>) ReflectionTestUtils
.getField(supplierJwtDecoderBean, "jwtDecoderSupplier");
JwtDecoder jwtDecoder = jwtDecoderSupplier.get();
});
// The last request is to the JWK Set endpoint to look up the algorithm
assertThat(this.server.getRequestCount()).isEqualTo(3);
}

@Test
@SuppressWarnings("unchecked")
void autoConfigurationShouldConfigureResourceServerUsingOAuthIssuerUri() throws Exception {
this.server = new MockWebServer();
this.server.start();
String path = "test";
String issuer = this.server.url(path).toString();
String cleanIssuerPath = cleanIssuerPath(issuer);
setupMockResponsesWithErrors(cleanIssuerPath, 2);

this.contextRunner.withPropertyValues("spring.security.oauth2.resourceserver.jwt.issuer-uri=http://"
+ this.server.getHostName() + ":" + this.server.getPort() + "/" + path).run((context) -> {
assertThat(context).hasSingleBean(JwtDecoder.class);
assertThat(context).hasSingleBean(SupplierJwtDecoder.class);
assertThat(context.containsBean("jwtDecoderByIssuerUri")).isTrue();
SupplierJwtDecoder supplierJwtDecoderBean = context.getBean(SupplierJwtDecoder.class);
Supplier<JwtDecoder> jwtDecoderSupplier = (Supplier<JwtDecoder>) ReflectionTestUtils
.getField(supplierJwtDecoderBean, "jwtDecoderSupplier");
JwtDecoder jwtDecoder = jwtDecoderSupplier.get();
});
// The last request is to the JWK Set endpoint to look up the algorithm
assertThat(this.server.getRequestCount()).isEqualTo(4);
Expand Down
2 changes: 1 addition & 1 deletion spring-boot-project/spring-boot-dependencies/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1693,7 +1693,7 @@ bom {
]
}
}
library("Spring Security", "5.6.0-M3") {
library("Spring Security", "5.6.0-SNAPSHOT") {
group("org.springframework.security") {
imports = [
"spring-security-bom"
Expand Down