You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/modules/ROOT/pages/reactive/oauth2/resource-server/jwt.adoc
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -39,17 +39,18 @@ This endpoint is referred to as a https://openid.net/specs/openid-connect-discov
39
39
40
40
When this property and these dependencies are used, Resource Server automatically configures itself to validate JWT-encoded Bearer Tokens.
41
41
42
-
It achieves this through a deterministic startup process:
42
+
It achieves this through a deterministic discovery process it launches at the first request containing a JWT:
43
43
44
44
. Hit the Provider Configuration or Authorization Server Metadata endpoint, processing the response for the `jwks_url` property.
45
45
. Configure the validation strategy to query `jwks_url` for valid public keys.
46
46
. Configure the validation strategy to validate each JWT's `iss` claim against `https://idp.example.com`.
47
47
48
-
A consequence of this process is that the authorization server must be receiving requests in order for Resource Server to successfully start up.
48
+
One benefit of deferring this process is that Resource Server startup is not coupled to the authorization server's availability.
49
49
50
50
[NOTE]
51
51
====
52
-
If the authorization server is down when Resource Server queries it (given appropriate timeouts), then startup fails.
52
+
This deferral is managed by javadoc:org.springframework.security.oauth2.jwt.SupplierReactiveJwtDecoder[`SupplierReactiveJwtDecoder`].
53
+
Consider wrapping any <<webflux-oauth2resourceserver-decoder-bean,`JwtDecoder` `@Bean`>> you declare in order to preserve this behavior.
53
54
====
54
55
55
56
=== Runtime Expectations
@@ -85,7 +86,7 @@ From here, consider jumping to:
85
86
[[webflux-oauth2resourceserver-jwt-jwkseturi]]
86
87
=== Specifying the Authorization Server JWK Set Uri Directly
87
88
88
-
If the authorization server does not support any configuration endpoints, or if Resource Server must be able to start up independently from the authorization server, you can supply `jwk-set-uri` as well:
89
+
If the authorization server does not support any configuration endpoints, or if Resource Server must be able to initialize independently from the authorization server, you can supply `jwk-set-uri` as well:
0 commit comments