Support symmetric key for JwtDecoder

[jgrandja]

Resolves #5465

[rwinch]

Thanks for the PR @jgrandja I have provided feedback inline.

[jgrandja]

Thanks for the feedback @rwinch @jzheaux. I've resolved all comments and pushed updates.

[jzheaux]

Is there any reason to have this be generated? It would be nice if it were a static value, e.g.

Suggested change

	KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
	return new SecretKeySpec(Base64.getDecoder().decode("Ky8xmu1fg/OqVlUr9PRKhutauHvuj0rLHExRk+5XkSU="), "AES")

[jgrandja]

There is no particular reason. I feel secretKey() can be useful as some tests may require their own secret. Is there a benefit to having a static value other than the one-time optimization at class load?

[jzheaux]

Having a "pre-generated" one is faster. To be clear, I think secretKey(), should stay, it should just use load a pre-generated key instead of a live-generated key.

Also, taking a look at a few other tests, it is fairly common to use a pre-generated value, for example, NimbusReactiveJwtDecoderTests#decodeWhenRSAPublicKeyThenSuccess, and the resource server tests.

[jgrandja]

Having a "pre-generated" one is faster

True, but the generated key is done once at class load so I don't think this will make the tests run slower.

[rwinch]

I'd prefer to have this be a static value too. This is not only faster, but it ensures the tests are consistent and predictable.

[jzheaux]

Looking through the tests, I don't see this method being used. Let's remove it, adding it back in when there is a clear need for a test to have a dynamically-generated secret key.

[jgrandja]

@rwinch I've implemented dedicated types for the JWS algorithms.

package org.springframework.security.oauth2.jose.jws;

public enum MacAlgorithm implements JwaAlgorithm {
   ...

public enum SignatureAlgorithm implements JwaAlgorithm {
   ...

I've also considered this design for when we implement support for JWE.
I'm thinking we would introduce the following:

package org.springframework.security.oauth2.jose.jwe;

public enum SecreKeyEncryptionAlgorithm implements JwaAlgorithm {
   ...

public enum PublicKeyEncryptionAlgorithm implements JwaAlgorithm {
   ...

[rwinch]

Thanks for the updates @jgrandja! I've provided feedback inline

[rwinch]

Does it make sense to rename this method and argument now that it is of type MacAlgorithm?

[rwinch]

I'd prefer to have this be a static value too. This is not only faster, but it ensures the tests are consistent and predictable.

[rwinch]

Should we rename jwsAlgorithm to macAlgorithm?

[jgrandja]

@rwinch @jzheaux I've addressed all the feedback so please go ahead with the review.

If we can get this into M2, that would be ideal.

[jgrandja]

@rwinch @jzheaux There were quite a few changes to NimbusJwtDecoder and NimbusReactiveJwtDecoder since I initially submitted this PR, e.g. JwtProcessors was removed in 9478abe which my PR was using.

This resulted in quite a few conflicts and was very difficult to merge. So I had no choice but to start from master and apply my updates manually and force push.

I know timing is tight to get this into M2 but it would be ideal as this one has been around for quite some time.

[jzheaux]

@jgrandja, this looks great - I've left just one comment inline.

[jzheaux]

Looking through the tests, I don't see this method being used. Let's remove it, adding it back in when there is a clear need for a test to have a dynamically-generated secret key.

[jgrandja]

Merged via bed3371