Package org.springframework.security.oauth2.server.resource.authentication

Class JwtIssuerReactiveAuthenticationManagerResolver

  • All Implemented Interfaces:
    org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<org.springframework.web.server.ServerWebExchange>
    public final class JwtIssuerReactiveAuthenticationManagerResolver
extends java.lang.Object
implements org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<org.springframework.web.server.ServerWebExchange>
    An implementation of ReactiveAuthenticationManagerResolver that resolves a JWT-based ReactiveAuthenticationManager based on the Issuer in a signed JWT (JWS). To use, this class must be able to determine whether or not the `iss` claim is trusted. Recall that anyone can stand up an authorization server and issue valid tokens to a resource server. The simplest way to achieve this is to supply a list of trusted issuers in the constructor. This class derives the Issuer from the `iss` claim found in the ServerWebExchange's Bearer Token.
    Since:
    5.3

    • Constructor Detail

      • JwtIssuerReactiveAuthenticationManagerResolver

        public JwtIssuerReactiveAuthenticationManagerResolver​(java.lang.String... trustedIssuers)
        Construct a JwtIssuerReactiveAuthenticationManagerResolver using the provided parameters
        Parameters:
        trustedIssuers - a list of trusted issuers

      • JwtIssuerReactiveAuthenticationManagerResolver

        public JwtIssuerReactiveAuthenticationManagerResolver​(java.util.Collection<java.lang.String> trustedIssuers)
        Construct a JwtIssuerReactiveAuthenticationManagerResolver using the provided parameters
        Parameters:
        trustedIssuers - a collection of trusted issuers

      • JwtIssuerReactiveAuthenticationManagerResolver

        public JwtIssuerReactiveAuthenticationManagerResolver​(org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<java.lang.String> issuerAuthenticationManagerResolver)
        Construct a JwtIssuerReactiveAuthenticationManagerResolver using the provided parameters Note that the ReactiveAuthenticationManagerResolver provided in this constructor will need to verify that the issuer is trusted. This should be done via an allowed list of issuers. One way to achieve this is with a Map where the keys are the known issuers: 
             Map<String, ReactiveAuthenticationManager> authenticationManagers = new HashMap<>();
     authenticationManagers.put("https://issuerOne.example.org", managerOne);
     authenticationManagers.put("https://issuerTwo.example.org", managerTwo);
     JwtIssuerReactiveAuthenticationManagerResolver resolver = new JwtIssuerReactiveAuthenticationManagerResolver
        ((issuer) -> Mono.justOrEmpty(authenticationManagers.get(issuer));
        The keys in the Map are the trusted issuers.
        Parameters:
        issuerAuthenticationManagerResolver - a strategy for resolving the ReactiveAuthenticationManager by the issuer

    • Method Detail

      • resolve

        public reactor.core.publisher.Mono<org.springframework.security.authentication.ReactiveAuthenticationManager> resolve​(org.springframework.web.server.ServerWebExchange exchange)
        Return an AuthenticationManager based off of the `iss` claim found in the request's bearer token
        Specified by:
        resolve in interface org.springframework.security.authentication.ReactiveAuthenticationManagerResolver<org.springframework.web.server.ServerWebExchange>
        Throws:
        org.springframework.security.oauth2.core.OAuth2AuthenticationException - if the bearer token is malformed or an ReactiveAuthenticationManager can't be derived from the issuer