Support for setting different 'jwk-set-uri's for each JWT in OAuth 2.0 Resource Server Multi-tenancy

[ntenherkel]

Expected Behavior Support for configuring multiple jwk-set-uri's in the Spring configuration file like so:

spring:
  security:
    oauth2:
      resourceservers:
        server1:
          jwt:
            jwk-set-uri: sever-A.com/jwks.json
        server2:
          jwt:
            jwk-set-uri: sever-B.com/jwks.json
        server3:
          jwt:
            jwk-set-uri: sever-C.com/jwks.json

Currently there is a workaround posted by jzheaux here. It looks like this:

@Bean 
JwtIssuerAuthenticationManagerResolver authenticationManagerResolver() {
    Map<String, JwtDecoder> decoders = Map.of(
        "https://s1.host.name", decoder("original.jwks.server:8080/.well-known/jwks.json"),
        "https://s2.host.name", decoder("new.jwks.server:8080/.well-known/jwks.json"));
    return new JwtIssuerAuthenticationManagerResolver(decoders::get);
}

JwtDecoder decoder(String jwkSetUri) {
    return NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
}

However, this solution will soon stop working because it is deprecated is likely to be removed in 3.3.x

I noticed more people are seeking this functionality. In a complex enterprise microarchitecture environment, it is likely to receive traffic from multiple sources. These microservices often expose /jwks endpoints that the receiving party should fetch. This means Spring Security should be able to fetch multiple jwks uri's.

Can we have this enhancement implemented or can we get a workaround that will work with Spring Boot 3.3.x?

[jzheaux]

Thanks for the update. Let's please keep the discussion about Boot properties on https://github.com/spring-projects/spring-boot/issues/30108 so that all the comments are collected in the same place.