Package org.springframework.security.oauth2.server.resource.authentication

Class JwtIssuerAuthenticationManagerResolver

java.lang.Object
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver
All Implemented Interfaces:
AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest>
public final class JwtIssuerAuthenticationManagerResolver extends Object implements AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest>
An implementation of AuthenticationManagerResolver that resolves a JWT-based AuthenticationManager based on the Issuer in a signed JWT (JWS). To use, this class must be able to determine whether or not the `iss` claim is trusted. Recall that anyone can stand up an authorization server and issue valid tokens to a resource server. The simplest way to achieve this is to supply a list of trusted issuers in the constructor. This class derives the Issuer from the `iss` claim found in the HttpServletRequest's Bearer Token.
Since:
5.3

  • Constructor Details

    • JwtIssuerAuthenticationManagerResolver

      public JwtIssuerAuthenticationManagerResolver(String... trustedIssuers)
      Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters
      Parameters:
      trustedIssuers - a list of trusted issuers

    • JwtIssuerAuthenticationManagerResolver

      public JwtIssuerAuthenticationManagerResolver(Collection<String> trustedIssuers)
      Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters
      Parameters:
      trustedIssuers - a list of trusted issuers

    • JwtIssuerAuthenticationManagerResolver

      public JwtIssuerAuthenticationManagerResolver(AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver)
      Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters Note that the AuthenticationManagerResolver provided in this constructor will need to verify that the issuer is trusted. This should be done via an allowlist. One way to achieve this is with a Map where the keys are the known issuers: 
           Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
     authenticationManagers.put("https://issuerOne.example.org", managerOne);
     authenticationManagers.put("https://issuerTwo.example.org", managerTwo);
     JwtAuthenticationManagerResolver resolver = new JwtAuthenticationManagerResolver
        (authenticationManagers::get);
      The keys in the Map are the allowed issuers.
      Parameters:
      issuerAuthenticationManagerResolver - a strategy for resolving the AuthenticationManager by the issuer

  • Method Details