Class JwtIssuerAuthenticationManagerResolver
java.lang.Object
org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver
- All Implemented Interfaces:
AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest>
public final class JwtIssuerAuthenticationManagerResolver
extends Object
implements AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest>
An implementation of
AuthenticationManagerResolver
that resolves a JWT-based
AuthenticationManager
based on the Issuer in
a signed JWT (JWS).
To use, this class must be able to determine whether or not the `iss` claim is trusted.
Recall that anyone can stand up an authorization server and issue valid tokens to a
resource server. The simplest way to achieve this is to supply a list of trusted
issuers in the constructor.
This class derives the Issuer from the `iss` claim found in the
HttpServletRequest
's
Bearer
Token.- Since:
- 5.3
-
Constructor Summary
ConstructorDescriptionJwtIssuerAuthenticationManagerResolver
(String... trustedIssuers) Construct aJwtIssuerAuthenticationManagerResolver
using the provided parametersJwtIssuerAuthenticationManagerResolver
(Collection<String> trustedIssuers) Construct aJwtIssuerAuthenticationManagerResolver
using the provided parametersJwtIssuerAuthenticationManagerResolver
(AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) Construct aJwtIssuerAuthenticationManagerResolver
using the provided parameters Note that theAuthenticationManagerResolver
provided in this constructor will need to verify that the issuer is trusted. -
Method Summary
Modifier and TypeMethodDescriptionresolve
(jakarta.servlet.http.HttpServletRequest request) Return anAuthenticationManager
based off of the `iss` claim found in the request's bearer token
-
Constructor Details
-
JwtIssuerAuthenticationManagerResolver
Construct aJwtIssuerAuthenticationManagerResolver
using the provided parameters- Parameters:
trustedIssuers
- a list of trusted issuers
-
JwtIssuerAuthenticationManagerResolver
Construct aJwtIssuerAuthenticationManagerResolver
using the provided parameters- Parameters:
trustedIssuers
- a list of trusted issuers
-
JwtIssuerAuthenticationManagerResolver
public JwtIssuerAuthenticationManagerResolver(AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver) Construct aJwtIssuerAuthenticationManagerResolver
using the provided parameters Note that theAuthenticationManagerResolver
provided in this constructor will need to verify that the issuer is trusted. This should be done via an allowlist. One way to achieve this is with aMap
where the keys are the known issuers:Map<String, AuthenticationManager> authenticationManagers = new HashMap<>(); authenticationManagers.put("https://issuerOne.example.org", managerOne); authenticationManagers.put("https://issuerTwo.example.org", managerTwo); JwtAuthenticationManagerResolver resolver = new JwtAuthenticationManagerResolver (authenticationManagers::get);
The keys in theMap
are the allowed issuers.- Parameters:
issuerAuthenticationManagerResolver
- a strategy for resolving theAuthenticationManager
by the issuer
-
-
Method Details
-
resolve
Return anAuthenticationManager
based off of the `iss` claim found in the request's bearer token- Specified by:
resolve
in interfaceAuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest>
- Returns:
- the
AuthenticationManager
to use - Throws:
OAuth2AuthenticationException
- if the bearer token is malformed or anAuthenticationManager
can't be derived from the issuer
-