I currently have the following...

@Configuration
@Slf4j
public class AuthConfig {
    @Value("${auth0.audience}")
    private String audience;

    @Getter
    @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
    private String issuer;

    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }

    @Bean
    public SecurityFilterChain filterChain(
            HttpSecurity http
    ) throws Exception {
        ....
    }

    @Bean
    JwtDecoder jwtDecoder() {
        NimbusJwtDecoder jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuer);

        OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
        OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
        OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);

        jwtDecoder.setJwtValidator(withAudience);

        return jwtDecoder;
    }

    private static class AudienceValidator implements OAuth2TokenValidator<Jwt> {
        private final String audience;

        public AudienceValidator(String audience) {
            this.audience = audience;
        }

        public OAuth2TokenValidatorResult validate(Jwt jwt) {
            OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);

            if (jwt.getAudience().contains(audience)) {
                return OAuth2TokenValidatorResult.success();
            }
            return OAuth2TokenValidatorResult.failure(error);
        }
    }
}

The problem I have with this is that it is my understanding having

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: /

Will create the JwtDecoder bean automagically and I shouldn't need to grab the issuer from the spring property (I would like to just use @ConfigurationProperties and non-spring properties like audience).

So is there a way I can just add the AudienceValidator to the JwtDecode bean created by Spring Security? Or is there something more basic I am doing incorrectly?

I currently have the following...

@Configuration
@Slf4j
public class AuthConfig {
    @Value("${auth0.audience}")
    private String audience;

    @Getter
    @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
    private String issuer;

    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }

    @Bean
    public SecurityFilterChain filterChain(
            HttpSecurity http
    ) throws Exception {
        ....
    }

    @Bean
    JwtDecoder jwtDecoder() {
        NimbusJwtDecoder jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuer);

        OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
        OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
        OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);

        jwtDecoder.setJwtValidator(withAudience);

        return jwtDecoder;
    }

    private static class AudienceValidator implements OAuth2TokenValidator<Jwt> {
        private final String audience;

        public AudienceValidator(String audience) {
            this.audience = audience;
        }

        public OAuth2TokenValidatorResult validate(Jwt jwt) {
            OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);

            if (jwt.getAudience().contains(audience)) {
                return OAuth2TokenValidatorResult.success();
            }
            return OAuth2TokenValidatorResult.failure(error);
        }
    }
}

The problem I have with this is that it is my understanding having

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://jackiergleason.auth0/

Will create the JwtDecoder bean automagically and I shouldn't need to grab the issuer from the spring property (I would like to just use @ConfigurationProperties and non-spring properties like audience).

So is there a way I can just add the AudienceValidator to the JwtDecode bean created by Spring Security? Or is there something more basic I am doing incorrectly?

• spring-boot
• spring-security
• oauth-2.0

• I'm having difficulties understanding this part: "So is there a way I can just add the AudienceValidator to the JwtDecode bean created by Spring Security" For getting a JwtDecoder by config, you'll need to specify spring.security.oauth2.resourceserver.jwt.issuer-uri. Can you take a look at my deleted answer and see if we're on track? BR – Roar S. Commented Jan 31 at 17:46
• @RoarS. my understanding is providing the issuer will cause spring security to Autocreate a JwtDecode. However, that one will not check the audience. I don't believe there is an audience config as in the answer but I may be missing it in the docs. Anyway a link to any documentation on how to filter like this would be great – Jackie Commented Jan 31 at 19:32
• 1 Hi! Docs here docs.spring.io/spring-boot/reference/web/… – Roar S. Commented Jan 31 at 19:38

1 Answer 1

I believe you're looking for the audiences setting. Docs here

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://jackiergleason.auth0/
          audiences:
            - my-custom-audience
            - my-second-custom-audience    

With this, requests without audience, or non-matching audience, will result in 401.