Add JwtIssuerAuthenticationManagerResolver

[jzheaux]

Fixes gh-7724

[fhanik]

Alright, some initial thoughts. I'm not marking it as Request Changes since we can elaborate on each

[jzheaux]

@dyroberts how well would this PR address some of the concerns you raised in #5385?

With it, you could do either:

JwtAuthenticationManagerResolver authenticationManagerResolver =
        new JwtAuthenticationManagerResolver("list", "of", "issuers");

http
    .oauth2ResourceServer()
        .authenticationManagerResolver(authenticationManagerResolver)

or

Map<String, AuthenticationManager> authenticationManagers = ...;
JwtAuthenticationManagerResolver authenticationManagerResolver =
        new JwtAuthenticationManagerResolver(authenticationManagers::get);

http
    .oauth2ResourceServer()
        .authenticationManagerResolver(authenticationManagerResolver);

[dyroberts]

@jzheaux Looks really good! The only thing I could see as a slight improvement would be some auto-config to create a JwtAuthenticationManagerResolver from application properties. But maybe that's not inline with the spring-security conventions of today? Anyway, this really does cover well the case that I was referring to.

[jzheaux]

@dyroberts we are still looking into the idea of mapping this to config properties. While this does appear to be a common way to handle multi-tenancy in resource servers, it's not clear whether or not Resource Server Multi-Tenancy itself is so common as to want to add Spring Boot support.

That said, this class leaves open this possibility.

[jzheaux]

@gburboz @xsreality @bertramn How well would this PR address the concerns you raised in #6778 and #5351?

[xsreality]

Hi Josh, the PR looks good. My primary concern was to be able to add/remove tenants at runtime without needing to restart the application. The updated doc makes it clear how to do that. Thanks!

[davidmelia]

@jzheaux will you be adding a reactive version of this class? Thanks

[jzheaux]

@davidmelia I think it makes sense to explore that, yes - I left a bit more detail in the ticket you raised.

[RavindraSengar]

Hi @jzheaux

I have similar use case.
One Backend API endpoint/resource
2 consumers of this BE API both will have their corresponding OAUTH2/OKTA authorization servers. Each with a different RSA key configured for creation of the JWT tokens.
In BE API, we want to accept tokens from either auth server and authenticate.
Problem - BE API/Resource is configured to use only 1 set of security.oauth2.resource.jwk.key-set-uri and security.jwt.issuer Is there a way we can mention 2 set of security.oauth2.resource.jwk.key-set-uri and security.jwt.issuer ? Or how to authenticate tokens from 2 different OKTA/OAUTH authorization servers ?

Project setup Details -

org.springframework.boot" version "2.3.1.RELEASE"
io.spring.dependency-management" version "1.0.8.RELEASE"
springSecurityVersion = "5.3.3.RELEASE"

I have gone through this support documentation but need some help to implement this.
Not sure this is right place to ask this question. but asking it anyway.
Thanks.

[jzheaux]

Thanks for reaching out, @RavindraSengar! In the future, please don't double-post as it creates noise. I've left some suggestions for you about multiple issuers over in the other ticket where you asked a similar question.