Package org.springframework.security.oauth2.server.resource.authentication

Class JwtIssuerAuthenticationManagerResolver

java.lang.Object

org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver

All Implemented Interfaces:

AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest>

public final class JwtIssuerAuthenticationManagerResolver
extends Object
implements AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest>

An implementation of AuthenticationManagerResolver that resolves a JWT-based AuthenticationManager based on the Issuer in a signed JWT (JWS). To use, this class must be able to determine whether the `iss` claim is trusted. Recall that anyone can stand up an authorization server and issue valid tokens to a resource server. The simplest way to achieve this is to supply a set of trusted issuers in the constructor. This class derives the Issuer from the `iss` claim found in the HttpServletRequest's Bearer Token.

Since:

5.3

Constructor Summary

Constructors

Constructor	Description
JwtIssuerAuthenticationManagerResolver(String... trustedIssuers)	Deprecated, for removal: This API element is subject to removal in a future version. use fromTrustedIssuers(String...)
JwtIssuerAuthenticationManagerResolver(Collection<String> trustedIssuers)	Deprecated, for removal: This API element is subject to removal in a future version. use fromTrustedIssuers(Collection)
JwtIssuerAuthenticationManagerResolver(AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver)	Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters Note that the AuthenticationManagerResolver provided in this constructor will need to verify that the issuer is trusted.

Method Summary

Modifier and Type	Method	Description
static JwtIssuerAuthenticationManagerResolver	fromTrustedIssuers(String... trustedIssuers)	Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters
static JwtIssuerAuthenticationManagerResolver	fromTrustedIssuers(Collection<String> trustedIssuers)	Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters
static JwtIssuerAuthenticationManagerResolver	fromTrustedIssuers(Predicate<String> trustedIssuers)	Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters
AuthenticationManager	resolve(jakarta.servlet.http.HttpServletRequest request)	Return an AuthenticationManager based off of the `iss` claim found in the request's bearer token

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

JwtIssuerAuthenticationManagerResolver

@Deprecated(since="6.2",
            forRemoval=true)
public JwtIssuerAuthenticationManagerResolver(String... trustedIssuers)

Deprecated, for removal: This API element is subject to removal in a future version.

use fromTrustedIssuers(String...)

Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters

Parameters:

trustedIssuers - an array of trusted issuers

JwtIssuerAuthenticationManagerResolver

@Deprecated(since="6.2",
            forRemoval=true)
public JwtIssuerAuthenticationManagerResolver(Collection<String> trustedIssuers)

Deprecated, for removal: This API element is subject to removal in a future version.

use fromTrustedIssuers(Collection)

Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters

Parameters:

trustedIssuers - a collection of trusted issuers

JwtIssuerAuthenticationManagerResolver

public JwtIssuerAuthenticationManagerResolver(AuthenticationManagerResolver<String> issuerAuthenticationManagerResolver)

Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters Note that the AuthenticationManagerResolver provided in this constructor will need to verify that the issuer is trusted. This should be done via an allowed set of issuers. One way to achieve this is with a Map where the keys are the known issuers:

     Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
     authenticationManagers.put("https://issuerOne.example.org", managerOne);
     authenticationManagers.put("https://issuerTwo.example.org", managerTwo);
     JwtAuthenticationManagerResolver resolver = new JwtAuthenticationManagerResolver
        (authenticationManagers::get);
 

The keys in the Map are the allowed issuers.

Parameters:

issuerAuthenticationManagerResolver - a strategy for resolving the AuthenticationManager by the issuer

Method Details

fromTrustedIssuers

public static JwtIssuerAuthenticationManagerResolver fromTrustedIssuers(String... trustedIssuers)

Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters

Parameters:

trustedIssuers - an array of trusted issuers

Since:

6.2

fromTrustedIssuers

public static JwtIssuerAuthenticationManagerResolver fromTrustedIssuers(Collection<String> trustedIssuers)

Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters

Parameters:

trustedIssuers - a collection of trusted issuers

Since:

6.2

fromTrustedIssuers

public static JwtIssuerAuthenticationManagerResolver fromTrustedIssuers(Predicate<String> trustedIssuers)

Construct a JwtIssuerAuthenticationManagerResolver using the provided parameters

Parameters:

trustedIssuers - a predicate to validate issuers

Since:

6.2

resolve

public AuthenticationManager resolve(jakarta.servlet.http.HttpServletRequest request)

Return an AuthenticationManager based off of the `iss` claim found in the request's bearer token

Specified by:

resolve in interface AuthenticationManagerResolver<jakarta.servlet.http.HttpServletRequest>

Returns:

the AuthenticationManager to use

Throws:

OAuth2AuthenticationException - if the bearer token is malformed or an AuthenticationManager can't be derived from the issuer