SpringBoot Introduce RSA keys configuration properties for OAuth2 Authorization Server

Currently, Spring Boot generate new RSA KeyPair every time application started, we should allow users to configure stable keys for production use.

Here is prototype: https://github.com/spring-projects/spring-boot/compare/main...quaff:spring-boot:patch-181?expand=1

Comment From: jgrandja

@quaff

Spring Boot generate new RSA KeyPair every time application started

This allows for a smoother "Getting Started" experience and is really only meant for that use case. For production deployments, it's the application's responsibility to configure the JWKSource<SecurityContext> @Bean with the key(s).

Also, almost all production deployments will have more than one key configured in the JWKSource to represent at least one "active" key and one or more "passive" keys.

Lastly, there are different types of symmetric and asymmetric keys that can be used so it's not limited to just RSA keys.

we should allow users to configure stable keys for production use

I would not recommend allowing users to configure the "private" portion of an RSA key via a property. I realize the property could be obtained from the environment but it still promotes users to statically configure it via the property which is not a good practice.

Comment From: snicoll

Thanks for sharing your insight Joe, closing.