feat(security-resource-server): validate external-IdP tokens via remote JWKS

src/main/java/org/fireflyframework/security/rs/ResourceServerAutoConfiguration.java

@@ -122,15 +122,34 @@ public Converter<Jwt, Mono<AbstractAuthenticationToken>> fireflyJwtAuthenticatio
     @Bean
     @ConditionalOnMissingBean
     public ReactiveJwtDecoder fireflyReactiveJwtDecoder(KeyManagementPort keyManagementPort, ResourceServerProperties properties) {
+        NimbusReactiveJwtDecoder decoder = buildDecoder(keyManagementPort, properties);
+        decoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(buildValidators(properties)));
+        return decoder;
+    }
+
+    /**
+     * Builds the decoder for an external IdP's remote JWKS when {@code jwk-set-uri} is configured
+     * (with the asymmetric algorithm allowlist), otherwise from the in-memory signing key of
+     * {@link KeyManagementPort} — the original, default behaviour, left unchanged.
+     */
+    static NimbusReactiveJwtDecoder buildDecoder(KeyManagementPort keyManagementPort, ResourceServerProperties properties) {
+        if (properties.getJwkSetUri() != null && !properties.getJwkSetUri().isBlank()) {
+            return NimbusReactiveJwtDecoder.withJwkSetUri(properties.getJwkSetUri())
+                    .jwsAlgorithms(algorithms -> properties.getSignatureAlgorithms()
+                            .forEach(name -> algorithms.add(SignatureAlgorithm.from(name))))
+                    .build();
+        }
         SigningKey active = keyManagementPort.activeSigningKey().block();
         if (active == null || !(active.publicKey() instanceof RSAPublicKey rsaPublicKey)) {
             throw new IllegalStateException("No RSA signing key available to build the JWT decoder");
         }
-        NimbusReactiveJwtDecoder decoder = NimbusReactiveJwtDecoder
+        return NimbusReactiveJwtDecoder
                 .withPublicKey(rsaPublicKey)
                 .signatureAlgorithm(SignatureAlgorithm.RS256)
                 .build();
+    }
 
+    private static List<OAuth2TokenValidator<Jwt>> buildValidators(ResourceServerProperties properties) {
         List<OAuth2TokenValidator<Jwt>> validators = new ArrayList<>();
         validators.add(new JwtTimestampValidator());
         if (properties.getIssuer() != null && !properties.getIssuer().isBlank()) {
@@ -139,8 +158,7 @@ public ReactiveJwtDecoder fireflyReactiveJwtDecoder(KeyManagementPort keyManagem
         if (!properties.getAudiences().isEmpty()) {
             validators.add(audienceValidator(properties.getAudiences()));
         }
-        decoder.setJwtValidator(new DelegatingOAuth2TokenValidator<>(validators));
-        return decoder;
+        return validators;
     }
 
     @Bean

src/main/java/org/fireflyframework/security/rs/ResourceServerProperties.java

@@ -48,4 +48,19 @@ public class ResourceServerProperties {
 
     /** Claim paths inspected for OAuth2 scopes. */
     private List<String> scopeClaimPaths = new ArrayList<>();
+
+    /**
+     * Remote JWKS endpoint of an external IdP (e.g. Keycloak), e.g.
+     * {@code https://auth.example/realms/r/protocol/openid-connect/certs}. When set, the default
+     * decoder validates tokens against this JWKS — so a resource server fronting an external IdP needs
+     * no decoder override. When blank, the in-memory signing key ({@code KeyManagementPort}) is used,
+     * exactly as before (backward compatible).
+     */
+    private String jwkSetUri;
+
+    /**
+     * JWS signature algorithm allowlist applied to the external-JWKS decoder (RFC 8725): rejects
+     * {@code none} and symmetric algorithms. Asymmetric only; defaults to RS256/PS256/ES256.
+     */
+    private List<String> signatureAlgorithms = new ArrayList<>(List.of("RS256", "PS256", "ES256"));
 }

src/test/java/org/fireflyframework/security/rs/ResourceServerDecoderSelectionTest.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2024-2026 Firefly Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.fireflyframework.security.rs;
+
+import org.fireflyframework.security.spi.KeyManagementPort;
+import org.junit.jupiter.api.Test;
+import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.verifyNoInteractions;
+
+/**
+ * Verifies decoder path selection. The in-memory (KeyManagementPort) path — the unchanged default — is
+ * covered end-to-end by {@link ResourceServerIntegrationTest}; this asserts that configuring
+ * {@code jwk-set-uri} switches to the external-JWKS decoder without touching the in-memory key.
+ */
+class ResourceServerDecoderSelectionTest {
+
+    @Test
+    void usesRemoteJwksAndSkipsKeyManagementPortWhenJwkSetUriConfigured() {
+        KeyManagementPort keyManagementPort = mock(KeyManagementPort.class);
+        ResourceServerProperties properties = new ResourceServerProperties();
+        properties.setJwkSetUri("https://idp.test/realms/r/protocol/openid-connect/certs");
+
+        NimbusReactiveJwtDecoder decoder = ResourceServerAutoConfiguration.buildDecoder(keyManagementPort, properties);
+
+        assertThat(decoder).isNotNull();
+        // The external-JWKS path must never consult the in-memory signing key.
+        verifyNoInteractions(keyManagementPort);
+    }
+}