Expose ID Token JwtDecoderFactory

[jgrandja]

DefaultJwtDecoderFactory in OidcAuthorizationCodeAuthenticationProvider and OidcAuthorizationCodeReactiveAuthenticationManager is responsible for providing the JwtDecoder used for ID Token verification. Both are declared as private static.

The user may need to customize the JwtDecoder in certain scenarios, for example, configuring a clock skew (#5839). Given this, we should extract both DefaultJwtDecoderFactory to allow for reuse and customization/configuration.

[raphaelDL]

Hi Joe, is this already taken?

[jgrandja]

I was planning on it but would be happy to hand it over to you :)

[jgrandja]

The 2 things to keep in mind for this task:

• The name DefaultJwtDecoderFactory will need to be renamed to be more specific. Maybe OidcIdTokenDecoderFactory?
• The user should be able to configure OidcIdTokenValidator.setClockSkew() per provider if required. This means that each OidcIdTokenValidator may have a different clock skew setting. When you think about it, if the application has Google and Okta configured for OIDC than they may need to configure different clock skew setting. This will be the tricky part.

[jgrandja]

@raphaelDL Just a heads up that I'm hoping to get this merged before end of day Monday as 5.2.0.M1 is being released on Tue. Do you think you'll be able to have something for review by end of day today or tomorrow morning? No pressure at all if you don't have the cycles. Either way let me know and if you don't have the time than I can wrap this up fairly quickly.

[raphaelDL]

Sure, I'm working on it, can you give me ideas on the multiple clock skew settings in OidcIdTokenValidator ? I can do it if you outline that for me... or I can leave it to you, whatever you feel like. I completely understand the schedule.

[jgrandja]

As far as being able to support a different clock skew setting per provider, I think this will do the trick.

public final class OidcIdTokenDecoderFactory implements JwtDecoderFactory<ClientRegistration> {
   // This provides the default
   private Function<ClientRegistration, OAuth2TokenValidator<Jwt>> jwtValidatorFactory = OidcIdTokenValidator::new;

   // The user can supply their own factory that will allow them to adjust the clock skew or whatever else they choose to customize
   public final void setJwtValidatorFactory(Function<ClientRegistration, OAuth2TokenValidator<Jwt>> jwtValidatorFactory) {
      ...
   }
}

Let's go with this for now and we can refine from here.
Thanks!

[jgrandja]

Btw, the current implementations compose 2 OAuth2TokenValidator as follows:

OAuth2TokenValidator<Jwt> jwtValidator = new DelegatingOAuth2TokenValidator<>(new JwtTimestampValidator(), new OidcIdTokenValidator(clientRegistration));

JwtTimestampValidator is redundant so we don't need it. The new implementations should only contain OidcIdTokenValidator as the default, as per example above.