Skip to content

Support for setting different 'jwk-set-uri's for each JWT in OAuth 2.0 Resource Server Multi-tenancy #14680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ntenherkel opened this issue Mar 4, 2024 · 1 comment
Closed

Support for setting different 'jwk-set-uri's for each JWT in OAuth 2.0 Resource Server Multi-tenancy #14680

ntenherkel opened this issue Mar 4, 2024 · 1 comment
Assignees
@jzheaux
Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement

Comments

@ntenherkel
Copy link

ntenherkel commented Mar 4, 2024
edited
Loading

Expected Behavior
Support for configuring multiple jwk-set-uri's in the Spring configuration file like so:

spring:
  security:
    oauth2:
      resourceservers:
        server1:
          jwt:
            jwk-set-uri: sever-A.com/jwks.json
        server2:
          jwt:
            jwk-set-uri: sever-B.com/jwks.json
        server3:
          jwt:
            jwk-set-uri: sever-C.com/jwks.json

Currently there is a workaround posted by jzheaux here. It looks like this:

@Bean 
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver() {
    Map<String, JwtDecoder> decoders = Map.of(
        "https://s1.host.name", decoder("original.jwks.server:8080/.well-known/jwks.json"),
        "https://s2.host.name", decoder("new.jwks.server:8080/.well-known/jwks.json"));
    return new JwtIssuerAuthenticationManagerResolver(decoders::get);
}

JwtDecoder decoder(String jwkSetUri) {
    return NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
}

However, this solution will soon stop working because it is deprecated is likely to be removed in 3.3.x
image

I noticed more people are seeking this functionality. In a complex enterprise microarchitecture environment, it is likely to receive traffic from multiple sources. These microservices often expose /jwks endpoints that the receiving party should fetch. This means Spring Security should be able to fetch multiple jwks uri's.

Can we have this enhancement implemented or can we get a workaround that will work with Spring Boot 3.3.x?
@ntenherkel ntenherkel added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Mar 4, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Mar 4, 2024

Thanks for the update. Let's please keep the discussion about Boot properties on spring-projects/spring-boot#30108 so that all the comments are collected in the same place.

@jzheaux jzheaux closed this as completed Mar 4, 2024
@jzheaux jzheaux self-assigned this Mar 4, 2024
@jzheaux jzheaux added status: duplicate A duplicate of another issue in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: duplicate A duplicate of another issue type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jzheaux @ntenherkel