Improve class conditions on auth server JWT auto-config

wilkinsona · wilkinsona · commit 3233341d458b · 2025-04-14T11:51:49.000+01:00
Prior to this change, introspection of the auto-configuration could fail due to insufficient protection against missing classes. This commit introduces an extra class-level check for Nimbus's JWKSource which ensures that the auto-configuration backs off if nimbus-jose-jwt has been excluded. It also introduces an inner-class for the case where spring-security-oauth2-jose is not on the classpath. This ensures that the method defining the jwtDecoder bean does not cause an introspection failure when JwtDecoder is missing. Closes gh-45177
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerJwtAutoConfiguration.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerJwtAutoConfiguration.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -36,6 +36,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Role;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
@@ -49,17 +50,10 @@
  * @since 3.1.0
  */
 @AutoConfiguration(after = UserDetailsServiceAutoConfiguration.class)
-@ConditionalOnClass(OAuth2Authorization.class)
+@ConditionalOnClass({ OAuth2Authorization.class, JWKSource.class })
 @ConditionalOnWebApplication(type = ConditionalOnWebApplication.Type.SERVLET)
 public class OAuth2AuthorizationServerJwtAutoConfiguration {
 
-	@Bean
-	@ConditionalOnClass(JwtDecoder.class)
-	@ConditionalOnMissingBean
-	JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
-		return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
-	}
-
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	@ConditionalOnMissingBean
@@ -92,4 +86,16 @@ private static KeyPair generateRsaKey() {
 		return keyPair;
 	}
 
+	@Configuration(proxyBeanMethods = false)
+	@ConditionalOnClass(JwtDecoder.class)
+	static class JwtDecoderConfiguration {
+
+		@Bean
+		@ConditionalOnMissingBean
+		JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
+			return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
+		}
+
+	}
+
 }
diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerJwtAutoConfigurationTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerJwtAutoConfigurationTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2023 the original author or authors.
+ * Copyright 2012-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,15 +43,22 @@ class OAuth2AuthorizationServerJwtAutoConfigurationTests {
 		.withConfiguration(AutoConfigurations.of(OAuth2AuthorizationServerJwtAutoConfiguration.class));
 
 	@Test
-	void autoConfigurationConditionalOnClassOauth2Authorization() {
+	void autoConfigurationConditionalOnClassOAuth2Authorization() {
 		this.contextRunner.withClassLoader(new FilteredClassLoader(OAuth2Authorization.class))
 			.run((context) -> assertThat(context).doesNotHaveBean(OAuth2AuthorizationServerJwtAutoConfiguration.class));
 	}
 
+	@Test
+	void autoConfigurationConditionalOnClassJWKSource() {
+		this.contextRunner.withClassLoader(new FilteredClassLoader(JWKSource.class))
+			.run((context) -> assertThat(context).doesNotHaveBean(OAuth2AuthorizationServerJwtAutoConfiguration.class));
+	}
+
 	@Test
 	void jwtDecoderConditionalOnClassJwtDecoder() {
 		this.contextRunner.withClassLoader(new FilteredClassLoader(JwtDecoder.class))
-			.run((context) -> assertThat(context).doesNotHaveBean("jwtDecoder"));
+			.run((context) -> assertThat(context).hasSingleBean(OAuth2AuthorizationServerJwtAutoConfiguration.class)
+				.doesNotHaveBean("jwtDecoder"));
 	}
 
 	@Test
