feat(security-resource-server): validate external-IdP tokens via remote JWKS#1
Merged
Conversation
Add an external-IdP mode to the resource server so apps fronting Keycloak/Cognito/etc. no longer hand-override the ReactiveJwtDecoder: - ResourceServerProperties: jwk-set-uri (remote JWKS endpoint) + signature-algorithms (RFC 8725 allowlist, default RS256/PS256/ES256). - fireflyReactiveJwtDecoder: when jwk-set-uri is set, build NimbusReactiveJwtDecoder.withJwkSetUri with the algorithm allowlist; otherwise keep the in-memory KeyManagementPort behaviour UNCHANGED. Validators (timestamp/issuer/audience) factored into buildValidators() and applied to both paths. @ConditionalOnMissingBean preserved (full override still possible). Backward compatible: consumers without jwk-set-uri get the exact previous behaviour — the existing ResourceServerIntegrationTest (in-memory path) stays green; a new unit test asserts the JWKS path is selected without touching the in-memory key. Dev version 26.06.03-SNAPSHOT so it coexists with the 26.06.02 release in .m2 without overwriting it; transitive framework security modules pinned to 26.06.02 (unchanged).
…03 framework release Drop the hand-rolled pre-release SNAPSHOT version pin and the dependencyManagement neutralization; the module returns to a clean 26.06.02 pom (the code changes stay). flywork fwversion bump will take the whole framework to 26.06.03 uniformly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds jwkSetUri + signatureAlgorithms props; buildDecoder uses external-JWKS (RFC 8725 allowlist) when jwk-set-uri is set, else the unchanged in-memory path. Backward-compatible. Part of the token-handler BFF security extraction landing in 26.06.03.