Spring Security NimbusJwtDecoder.withJwkSetUri(jwksUri) should populate defaultAlgorithms just as NimbusJwtDecoder.withIssuerLocation(issuer) do

Expected Behavior

NimbusJwtDecoder.withJwkSetUri(jwksUri) should populate defaultAlgorithms just as NimbusJwtDecoder.withIssuerLocation(issuer) do.

Current Behavior

In the current main version, NimbusJwtDecoder.withIssuerLocation(issuer) will create the builder using

JwkSetUriJwtDecoderBuilder(Function<RestOperations, String> jwkSetUri,
                Function<JWKSource<SecurityContext>, Set<JWSAlgorithm>> defaultAlgorithms);

and call JwtDecoderProviderConfigurationUtils::getJWSAlgorithms to read available algorithms from jwksUri payload and set it to defaultAlgorithms as the allowed list of algorithms.

In contrast, NimbusJwtDecoder.withJwkSetUri(jwksUri) calls the basic constructor

JwkSetUriJwtDecoderBuilder(String jwkSetUri)

which does not set algorithm at all. We need to explicitly set the allowed algorithm with JwkSetUriJwtDecoderBuilder.jwsAlgorithm(...) or only RS256 (init value of defaultAlgorithms) is allowed.

I think it is reasonable to use available signing algorithms from jwksUri payload by default, and we could still explicitly specify allowed algorithm using JwkSetUriJwtDecoderBuilder.jwsAlgorithm(...). To achieve this, just change withJwkSetUri to create JwkSetUriJwtDecoderBuilder using the same constructor as withIssuerLocation.

We cannot create JwkSetUriJwtDecoderBuilder directly since its constructors are private access.

Context

I was implementing JWT validation using jwksUri and found that NimbusJwtDecoder.withJwkSetUri(jwksUri).build() is not sufficient to create a working decoder. Currently I assign all available algorithms in SignatureAlgorithm with JwkSetUriJwtDecoderBuilder.jwsAlgorithms(...). Even with this workaround, "EdDSA" algorithm is not supported due to the limitation of SignatureAlgorithm enum, but this issue is tracked under another GH-issue https://github.com/spring-projects/spring-security/issues/17098