Spring Security Allow JwkSetUriJwtDecoderBuilder to manipulate JWKSource

Expected Behavior

In cases where the issuing system experiences issues, a Resource Server should be able to serve at least the requests from valid token holders.

Current Behavior

If the application is configured to use a JWT Decoder with NimbusJwtDecoder.withJwkSetUri(String), the builder can be parameterized in specific ways, but the JWKSource is configured statically. Hence, developers cannot make use of Nimbus' ways to configure a more resilient JWKSource (see here: https://connect2id.com/products/nimbus-jose-jwt/examples/enhanced-jwk-retrieval ), which allows Outage Tolerance out of the box.

Context

There might be a possible workaround which could look like:

@Bean
JwkSetUriJwtDecoderBuilderCustomizer customizer() throws MalformedURLException {
      JWSKeySelector<SecurityContext> keySelector = new JWSVerificationKeySelector(
          JWSAlgorithm.ES256,
          JWKSourceBuilder.create(new URL("some.url")).outageTolerant(true).build()
      );
      return builder -> {
          builder.jwtProcessorCustomizer(processor -> processor.setJWSKeySelector(keySelector));
      };
}

But this would overwrite the SpringJWKSource (which is private), among other things.

It would be nice to have a Customizer that could be honored here:

https://github.com/spring-projects/spring-security/blob/ffd6e3c0f71d2257fd6177ae549e8f1290828608/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java#L450-L453

Comment From: jzheaux

Hi, @DennisRippinger, please take a look at https://github.com/spring-projects/spring-security/pull/17046 and see if this addresses your needs. For now, I'll close this as a duplicate.