Use JWK set URI for imperative OAuth2 decoder#32692
Open
ruggeropaolobasile wants to merge 1 commit intojhipster:mainfrom
Open
Use JWK set URI for imperative OAuth2 decoder#32692ruggeropaolobasile wants to merge 1 commit intojhipster:mainfrom
ruggeropaolobasile wants to merge 1 commit intojhipster:mainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This changes the imperative OAuth2 security template to build the
NimbusJwtDecoderdirectly from the generated OIDC client registration JWK Set URI instead of callingJwtDecoders.fromOidcIssuerLocation(issuerUri).That avoids the Spring Security discovery/JWK retrieval path that can fail with socket timeouts on slow connections, while still preserving the existing issuer and audience validation.
It also wires the decoder through
RestTemplateBuilder, so timeout customization can hook into the standard Spring client path used by the generated application.Why is this needed?
In the generated imperative OAuth2 setup, startup currently depends on the OIDC discovery flow completing quickly enough. On slow connections this can fail with
RemoteKeySourceException/SocketTimeoutException, which is the problem described in #17550.The reactive non-microservice branch already works from an explicit
jwkSetUri; this aligns the imperative branch with that approach.Test plan
Verified locally:
npm run lintnpm run check-typesI also attempted to run the focused Spring Boot generator tests locally, but the JHipster test harness in this environment is affected by local generator lookup assumptions unrelated to this patch, so I could not get a reliable targeted snapshot run from the repo tooling.
Related issue
Fixes #17550