Package org.springframework.security.oauth2.server.resource.authentication

Class JwtIssuerAuthenticationManagerResolver

java.lang.Object

org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver

All Implemented Interfaces:

AuthenticationManagerResolver<javax.servlet.http.HttpServletRequest>

public final class JwtIssuerAuthenticationManagerResolver
extends Object
implements AuthenticationManagerResolver<javax.servlet.http.HttpServletRequest>

An implementation of AuthenticationManagerResolver that resolves a JWT-based AuthenticationManager based on the Issuer in a signed JWT (JWS). To use, this class must be able to determine whether or not the `iss` claim is trusted. Recall that anyone can stand up an authorization server and issue valid tokens to a resource server. The simplest way to achieve this is to supply a list of trusted issuers in the constructor. This class derives the Issuer from the `iss` claim found in the HttpServletRequest's Bearer Token.

Since:

5.3

Constructor Summary

Constructors

Constructor	Description
JwtIssuerAuthenticationManagerResolver(String... trustedIssuers)	Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters
JwtIssuerAuthenticationManagerResolver(Collection<String> trustedIssuers)	Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters
JwtIssuerAuthenticationManagerResolver(AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver)	Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters Note that the AuthenticationManagerResolver provided in this constructor will need to verify that the issuer is trusted.

Method Summary

Modifier and Type	Method	Description
AuthenticationManager	resolve(javax.servlet.http.HttpServletRequest request)	Return an AuthenticationManager based off of the `iss` claim found in the request's bearer token

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

JwtIssuerAuthenticationManagerResolver

public JwtIssuerAuthenticationManagerResolver(String... trustedIssuers)

Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters

Parameters:

trustedIssuers - a list of trusted issuers

JwtIssuerAuthenticationManagerResolver

public JwtIssuerAuthenticationManagerResolver(Collection<String> trustedIssuers)

Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters

Parameters:

trustedIssuers - a list of trusted issuers

JwtIssuerAuthenticationManagerResolver

public JwtIssuerAuthenticationManagerResolver(AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver)

Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters Note that the AuthenticationManagerResolver provided in this constructor will need to verify that the issuer is trusted. This should be done via an allowlist. One way to achieve this is with a Map where the keys are the known issuers:

     Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
     authenticationManagers.put("https://issuerOne.example.org", managerOne);
     authenticationManagers.put("https://issuerTwo.example.org", managerTwo);
     JwtAuthenticationManagerResolver resolver = new JwtAuthenticationManagerResolver
        (authenticationManagers::get);
 

The keys in the Map are the allowed issuers.

Parameters:

issuerAuthenticationManagerResolver - a strategy for resolving the AuthenticationManager by the issuer

Method Details

resolve

public AuthenticationManager resolve(javax.servlet.http.HttpServletRequest request)

Return an AuthenticationManager based off of the `iss` claim found in the request's bearer token

Specified by:

resolve in interface AuthenticationManagerResolver<javax.servlet.http.HttpServletRequest>

Returns:

the AuthenticationManager to use

Throws:

OAuth2AuthenticationException - if the bearer token is malformed or an AuthenticationManager can't be derived from the issuer