Expose ID Token JwtDecoderFactory

[jgrandja]

DefaultJwtDecoderFactory in OidcAuthorizationCodeAuthenticationProvider and OidcAuthorizationCodeReactiveAuthenticationManager is responsible for providing the JwtDecoder used for ID Token verification. Both are declared as private static.

The user may need to customize the JwtDecoder in certain scenarios, for example, configuring a clock skew (#5839). Given this, we should extract both DefaultJwtDecoderFactory to allow for reuse and customization/configuration.

[raphaelDL]

Hi Joe, is this already taken?

[jgrandja]

I was planning on it but would be happy to hand it over to you :)

[jgrandja]

The 2 things to keep in mind for this task:

• The name DefaultJwtDecoderFactory will need to be renamed to be more specific. Maybe OidcIdTokenDecoderFactory?
• The user should be able to configure OidcIdTokenValidator.setClockSkew() per provider if required. This means that each OidcIdTokenValidator may have a different clock skew setting. When you think about it, if the application has Google and Okta configured for OIDC than they may need to configure different clock skew setting. This will be the tricky part.

[jgrandja]

@raphaelDL Just a heads up that I'm hoping to get this merged before end of day Monday as 5.2.0.M1 is being released on Tue. Do you think you'll be able to have something for review by end of day today or tomorrow morning? No pressure at all if you don't have the cycles. Either way let me know and if you don't have the time than I can wrap this up fairly quickly.

[raphaelDL]

Sure, I'm working on it, can you give me ideas on the multiple clock skew settings in OidcIdTokenValidator ? I can do it if you outline that for me... or I can leave it to you, whatever you feel like. I completely understand the schedule.

[jgrandja]

As far as being able to support a different clock skew setting per provider, I think this will do the trick.

public final class OidcIdTokenDecoderFactory implements JwtDecoderFactory<ClientRegistration> {
   // This provides the default
   private Function<ClientRegistration, OAuth2TokenValidator<Jwt>> jwtValidatorFactory = OidcIdTokenValidator::new;

   // The user can supply their own factory that will allow them to adjust the clock skew or whatever else they choose to customize
   public final void setJwtValidatorFactory(Function<ClientRegistration, OAuth2TokenValidator<Jwt>> jwtValidatorFactory) {
      ...
   }
}

Let's go with this for now and we can refine from here.
Thanks!

[jgrandja]

Btw, the current implementations compose 2 OAuth2TokenValidator as follows:

OAuth2TokenValidator<Jwt> jwtValidator = new DelegatingOAuth2TokenValidator<>(new JwtTimestampValidator(), new OidcIdTokenValidator(clientRegistration));

JwtTimestampValidator is redundant so we don't need it. The new implementations should only contain OidcIdTokenValidator as the default, as per example above.

[raphaelDL]

Ok Joe, thank you for your help.. I committed additional changes. I'm working on a test for the customization

[raphaelDL]

hey Joe, I was looking at the code of setJwtValidatorFactory I wrote it as a pure setter, but thinking on the scenario when the user wants to customize the validator when the decoder is already built, shouldn't it be something like this???

public final void setJwtValidatorFactory(Function<ClientRegistration, OAuth2TokenValidator<Jwt>> jwtCustomValidatorFactory, ClientRegistration clientRegistration) {
		jwtDecoders.computeIfPresent(clientRegistration.getRegistrationId(), ( key , decoder ) ->
		{
			OAuth2TokenValidator<Jwt> jwtCustomValidator = jwtCustomValidatorFactory.apply(clientRegistration);
			NimbusReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(
					clientRegistration.getProviderDetails().getJwkSetUri());
			jwtDecoder.setJwtValidator(jwtCustomValidator);
		return jwtDecoder;
		});
	}

maybe I am missing something? what do you think?

[jgrandja]

the scenario when the user wants to customize the validator when the decoder is already built

I'm not sure I follow? When the JwtDecoder is built for a specific ClientRegistration than the jwtValidatorFactory will get called to associate the validator. This only happens once. If the user called setJwtValidatorFactory() with a different validator factory than it will never get called again for the previously built ClientRegistration because when createDecoder is called the second time than it's found in the Map and returned. Makes sense?

[raphaelDL]

Yes I understand, I was thinking what happens when yo do this:

you call setJwtValidatorFactory(custom), The custom validator is no longer the default
then call createDecoder(client_reg_1). created with a custom validator
then call createDecoder(client_reg_2). It uses the previous validator meant for the client_reg_1 ? shouldn't it be the default?
am I lost? :s

[jgrandja]

This is what I'm envisioning the user would provide:

public Function<ClientRegistration, OAuth2TokenValidator<Jwt>> customJwtValidatorFactory() {
	return clientRegistration -> {
		OidcIdTokenValidator idTokenValidator = new OidcIdTokenValidator(clientRegistration);
		if (clientRegistration.getRegistrationId().equals("google")) {
			idTokenValidator.setClockSkew(Duration.ofSeconds(30));
		} else if (clientRegistration.getRegistrationId().equals("okta")) {
			idTokenValidator.setClockSkew(Duration.ofSeconds(60));
		} else {
			// Default clock skew
		}
		return idTokenValidator;
	};
}

With this custom jwtValidatorFactory, the user has set a different clock skew for google and okta and all other created validators keep the default.

Makes sense?

[raphaelDL]

it totally makes sense, thanks.... then I should add the tests and open the PR, thanks