Description
Expected Behavior
In cases where the issuing system experiences issues, a Resource Server should be able to serve at least the requests from valid token holders.
Current Behavior
If the application is configured to use a JWT Decoder with NimbusJwtDecoder.withJwkSetUri(String), the builder can be parameterized in specific ways, but the JWKSource is configured statically. Hence, developers cannot make use of Nimbus' ways to configure a more resilient JWKSource (see here: https://connect2id.com/products/nimbus-jose-jwt/examples/enhanced-jwk-retrieval ), which allows Outage Tolerance out of the box.
Context
There might be a possible workaround which could look like:
@Bean
JwkSetUriJwtDecoderBuilderCustomizer customizer() throws MalformedURLException {
JWSKeySelector<SecurityContext> keySelector = new JWSVerificationKeySelector(
JWSAlgorithm.ES256,
JWKSourceBuilder.create(new URL("some.url")).outageTolerant(true).build()
);
return builder -> {
builder.jwtProcessorCustomizer(processor -> processor.setJWSKeySelector(keySelector));
};
}But this would overwrite the SpringJWKSource (which is private), among other things.
It would be nice to have a Customizer that could be honored here: