Polish JWT Signature Algorithm Discovery

- Moved support to JwtDecoders and ReactiveJwtDecoders since there is
already the expectation that those classes make an outbound connection
to complete configuration. Since there's no outbound connection when
configuring a NimbusJwtDecoder or NimbusReactiveJwtDecoder, it would be
more intrusive to change that.

Closes gh-7160

Author: jzheaux

config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

@@ -223,7 +223,6 @@ public void getWhenUsingDefaultsInLambdaWithValidBearerTokenThenAcceptsRequest()
 	public void getWhenUsingJwkSetUriThenAcceptsRequest() throws Exception {
 		this.spring.register(WebServerConfig.class, JwkSetUriConfig.class, BasicController.class).autowire();
 		mockWebServer(jwks("Default"));
-		mockWebServer(jwks("Default"));
 		String token = this.token("ValidNoScopes");
 		// @formatter:off
 		this.mvc.perform(get("/").with(bearerToken(token)))
@@ -236,7 +235,6 @@ public void getWhenUsingJwkSetUriThenAcceptsRequest() throws Exception {
 	public void getWhenUsingJwkSetUriInLambdaThenAcceptsRequest() throws Exception {
 		this.spring.register(WebServerConfig.class, JwkSetUriInLambdaConfig.class, BasicController.class).autowire();
 		mockWebServer(jwks("Default"));
-		mockWebServer(jwks("Default"));
 		String token = this.token("ValidNoScopes");
 		// @formatter:off
 		this.mvc.perform(get("/").with(bearerToken(token)))
@@ -1203,6 +1201,7 @@ public void getWhenMultipleIssuersThenUsesIssuerClaimToDifferentiate() throws Ex
 		// @formatter:on
 		mockWebServer(String.format(metadata, issuerThree, issuerThree));
 		mockWebServer(jwkSet);
+		mockWebServer(jwkSet);
 		// @formatter:off
 		this.mvc.perform(get("/authenticated").with(bearerToken(jwtThree)))
 				.andExpect(status().isUnauthorized())

config/src/test/java/org/springframework/security/config/http/OAuth2ResourceServerBeanDefinitionParserTests.java

@@ -148,7 +148,6 @@ public void getWhenValidBearerTokenThenAcceptsRequest() throws Exception {
 	public void getWhenUsingJwkSetUriThenAcceptsRequest() throws Exception {
 		this.spring.configLocations(xml("WebServer"), xml("JwkSetUri")).autowire();
 		mockWebServer(jwks("Default"));
-		mockWebServer(jwks("Default"));
 		String token = this.token("ValidNoScopes");
 		// @formatter:off
 		this.mvc.perform(get("/").header("Authorization", "Bearer " + token))

config/src/test/java/org/springframework/security/config/web/server/OAuth2ResourceServerSpecTests.java

@@ -261,7 +261,6 @@ public void getWhenUsingJwkSetUriThenConsultsAccordingly() {
 		this.spring.register(JwkSetUriConfig.class, RootController.class).autowire();
 		MockWebServer mockWebServer = this.spring.getContext().getBean(MockWebServer.class);
 		mockWebServer.enqueue(new MockResponse().setBody(this.jwkSet));
-		mockWebServer.enqueue(new MockResponse().setBody(this.jwkSet));
 		// @formatter:off
 		this.client.get()
 				.headers((headers) -> headers
@@ -277,7 +276,6 @@ public void getWhenUsingJwkSetUriInLambdaThenConsultsAccordingly() {
 		this.spring.register(JwkSetUriInLambdaConfig.class, RootController.class).autowire();
 		MockWebServer mockWebServer = this.spring.getContext().getBean(MockWebServer.class);
 		mockWebServer.enqueue(new MockResponse().setBody(this.jwkSet));
-		mockWebServer.enqueue(new MockResponse().setBody(this.jwkSet));
 		// @formatter:off
 		this.client.get()
 				.headers((headers) -> headers

config/src/test/kotlin/org/springframework/security/config/web/server/ServerJwtDslTests.kt

@@ -160,7 +160,6 @@ class ServerJwtDslTests {
     fun `jwt when using custom JWK Set URI then custom URI used`() {
         this.spring.register(CustomJwkSetUriConfig::class.java).autowire()
 
-        CustomJwkSetUriConfig.MOCK_WEB_SERVER.enqueue(MockResponse().setBody(jwkSet))
         CustomJwkSetUriConfig.MOCK_WEB_SERVER.enqueue(MockResponse().setBody(jwkSet))
 
         this.client.get()

docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc

@@ -99,9 +99,10 @@ When this property and these dependencies are used, Resource Server will automat
 
 It achieves this through a deterministic startup process:
 
-1. Hit the Provider Configuration or Authorization Server Metadata endpoint, processing the response for the `jwks_url` property
-2. Configure the validation strategy to query `jwks_url` for valid public keys
-3. Configure the validation strategy to validate each JWTs `iss` claim against `https://idp.example.com`.
+1. Query the Provider Configuration or Authorization Server Metadata endpoint for the `jwks_url` property
+2. Query the `jwks_url` endpoint for supported algorithms
+3. Configure the validation strategy to query `jwks_url` for valid public keys of the algorithms found
+4. Configure the validation strategy to validate each JWTs `iss` claim against `https://idp.example.com`.
 
 A consequence of this process is that the authorization server must be up and receiving requests in order for Resource Server to successfully start up.
 

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtils.java

@@ -18,11 +18,25 @@
 
 import java.net.URI;
 import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
+import java.util.Set;
+
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.KeySourceException;
+import com.nimbusds.jose.jwk.JWK;
+import com.nimbusds.jose.jwk.JWKMatcher;
+import com.nimbusds.jose.jwk.JWKSelector;
+import com.nimbusds.jose.jwk.KeyType;
+import com.nimbusds.jose.jwk.KeyUse;
+import com.nimbusds.jose.jwk.source.JWKSource;
+import com.nimbusds.jose.proc.SecurityContext;
 
 import org.springframework.core.ParameterizedTypeReference;
 import org.springframework.http.RequestEntity;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
 import org.springframework.util.Assert;
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.RestTemplate;
@@ -68,6 +82,40 @@ static void validateIssuer(Map<String, Object> configuration, String issuer) {
 				+ "\" provided in the configuration did not " + "match the requested issuer \"" + issuer + "\"");
 	}
 
+	static Set<SignatureAlgorithm> getSignatureAlgorithms(JWKSource<SecurityContext> jwkSource) {
+		JWKMatcher jwkMatcher = new JWKMatcher.Builder().publicOnly(true).keyUses(KeyUse.SIGNATURE, null)
+				.keyTypes(KeyType.RSA, KeyType.EC).build();
+		Set<JWSAlgorithm> jwsAlgorithms = new HashSet<>();
+		try {
+			List<? extends JWK> jwks = jwkSource.get(new JWKSelector(jwkMatcher), null);
+			for (JWK jwk : jwks) {
+				if (jwk.getAlgorithm() != null) {
+					jwsAlgorithms.add((JWSAlgorithm) jwk.getAlgorithm());
+				}
+				else {
+					if (jwk.getKeyType() == KeyType.RSA) {
+						jwsAlgorithms.addAll(JWSAlgorithm.Family.RSA);
+					}
+					else if (jwk.getKeyType() == KeyType.EC) {
+						jwsAlgorithms.addAll(JWSAlgorithm.Family.EC);
+					}
+				}
+			}
+		}
+		catch (KeySourceException ex) {
+			throw new IllegalStateException(ex);
+		}
+		Set<SignatureAlgorithm> signatureAlgorithms = new HashSet<>();
+		for (JWSAlgorithm jwsAlgorithm : jwsAlgorithms) {
+			SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.from(jwsAlgorithm.getName());
+			if (signatureAlgorithm != null) {
+				signatureAlgorithms.add(signatureAlgorithm);
+			}
+		}
+		Assert.notEmpty(signatureAlgorithms, "Failed to find any algorithms from the JWK set");
+		return signatureAlgorithms;
+	}
+
 	private static String getMetadataIssuer(Map<String, Object> configuration) {
 		if (configuration.containsKey("issuer")) {
 			return configuration.get("issuer").toString();

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoders.java

@@ -16,9 +16,17 @@
 
 package org.springframework.security.oauth2.jwt;
 
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.net.URL;
 import java.util.Map;
+import java.util.Set;
+
+import com.nimbusds.jose.jwk.source.RemoteJWKSet;
+import com.nimbusds.jose.proc.SecurityContext;
 
 import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
 import org.springframework.util.Assert;
 
 /**
@@ -106,9 +114,23 @@ public static JwtDecoder fromIssuerLocation(String issuer) {
 	private static JwtDecoder withProviderConfiguration(Map<String, Object> configuration, String issuer) {
 		JwtDecoderProviderConfigurationUtils.validateIssuer(configuration, issuer);
 		OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefaultWithIssuer(issuer);
-		NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(configuration.get("jwks_uri").toString()).build();
+		String jwkSetUri = configuration.get("jwks_uri").toString();
+		RemoteJWKSet<SecurityContext> jwkSource = new RemoteJWKSet<>(url(jwkSetUri));
+		Set<SignatureAlgorithm> signatureAlgorithms = JwtDecoderProviderConfigurationUtils
+				.getSignatureAlgorithms(jwkSource);
+		NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri)
+				.jwsAlgorithms((algs) -> algs.addAll(signatureAlgorithms)).build();
 		jwtDecoder.setJwtValidator(jwtValidator);
 		return jwtDecoder;
 	}
 
+	private static URL url(String url) {
+		try {
+			return new URL(url);
+		}
+		catch (IOException ex) {
+			throw new UncheckedIOException(ex);
+		}
+	}
+
 }

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java

@@ -21,26 +21,21 @@
 import java.net.URL;
 import java.security.interfaces.RSAPublicKey;
 import java.text.ParseException;
-import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.LinkedHashMap;
-import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.function.Consumer;
 
 import javax.crypto.SecretKey;
 
-import com.nimbusds.jose.Algorithm;
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.RemoteKeySourceException;
-import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.JWKSet;
-import com.nimbusds.jose.jwk.KeyUse;
 import com.nimbusds.jose.jwk.source.JWKSetCache;
 import com.nimbusds.jose.jwk.source.JWKSource;
 import com.nimbusds.jose.jwk.source.RemoteJWKSet;
@@ -239,8 +234,6 @@ public static SecretKeyJwtDecoderBuilder withSecretKey(SecretKey secretKey) {
 	 */
 	public static final class JwkSetUriJwtDecoderBuilder {
 
-		private static final Log log = LogFactory.getLog(JwkSetUriJwtDecoderBuilder.class);
-
 		private String jwkSetUri;
 
 		private Set<SignatureAlgorithm> signatureAlgorithms = new HashSet<>();
@@ -329,60 +322,17 @@ public JwkSetUriJwtDecoderBuilder jwtProcessorCustomizer(
 		}
 
 		JWSKeySelector<SecurityContext> jwsKeySelector(JWKSource<SecurityContext> jwkSource) {
-			Set<SignatureAlgorithm> algorithms = new HashSet<>();
-			if (!this.signatureAlgorithms.isEmpty()) {
-				algorithms.addAll(this.signatureAlgorithms);
-			} else {
-				algorithms.addAll(fetchSignatureAlgorithms());
-			}
-
-			if (algorithms.isEmpty()) {
-				algorithms.add(SignatureAlgorithm.RS256);
+			if (this.signatureAlgorithms.isEmpty()) {
+				return new JWSVerificationKeySelector<>(JWSAlgorithm.RS256, jwkSource);
 			}
-
 			Set<JWSAlgorithm> jwsAlgorithms = new HashSet<>();
-			for (SignatureAlgorithm signatureAlgorithm : algorithms) {
-				jwsAlgorithms.add(JWSAlgorithm.parse(signatureAlgorithm.getName()));
+			for (SignatureAlgorithm signatureAlgorithm : this.signatureAlgorithms) {
+				JWSAlgorithm jwsAlgorithm = JWSAlgorithm.parse(signatureAlgorithm.getName());
+				jwsAlgorithms.add(jwsAlgorithm);
 			}
-
 			return new JWSVerificationKeySelector<>(jwsAlgorithms, jwkSource);
 		}
 
-		private Set<SignatureAlgorithm> fetchSignatureAlgorithms() {
-			try {
-				return parseAlgorithms(JWKSet.load(toURL(jwkSetUri), 5000, 5000, 0));
-			} catch (Exception ex) {
-				throw new IllegalArgumentException("Failed to load Signature Algorithms from remote JWK source.", ex);
-			}
-		}
-
-		private Set<SignatureAlgorithm> parseAlgorithms(JWKSet jwkSet) {
-			if (jwkSet == null) {
-				throw new IllegalArgumentException(String.format("No JWKs received from %s", jwkSetUri));
-			}
-
-			List<JWK> jwks = new ArrayList<>();
-			for (JWK jwk : jwkSet.getKeys()) {
-				KeyUse keyUse = jwk.getKeyUse();
-				if (keyUse != null && keyUse.equals(KeyUse.SIGNATURE)) {
-					jwks.add(jwk);
-				}
-			}
-
-			Set<SignatureAlgorithm> algorithms = new HashSet<>();
-			for (JWK jwk : jwks) {
-				Algorithm algorithm = jwk.getAlgorithm();
-				if (algorithm != null) {
-					SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.from(algorithm.getName());
-					if (signatureAlgorithm != null) {
-						algorithms.add(signatureAlgorithm);
-					}
-				}
-			}
-
-			return algorithms;
-		}
-
 		JWKSource<SecurityContext> jwkSource(ResourceRetriever jwkSetRetriever) {
 			if (this.cache == null) {
 				return new RemoteJWKSet<>(toURL(this.jwkSetUri), jwkSetRetriever);