Skip to content

Commit

Permalink
Merge pull request #35286 from bikash30851
Browse files Browse the repository at this point in the history
* gh-35286:
  Polish "Document audience support in Oauth2 resource server"
  Document audience support in Oauth2 resource server

Closes gh-35286
  • Loading branch information
wilkinsona committed May 25, 2023
2 parents 7c5fd06 + f452a86 commit 812a48e
Showing 1 changed file with 14 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -201,8 +201,21 @@ For JWT configuration, a JWK Set URI or OIDC Issuer URI needs to be specified, a
NOTE: If the authorization server does not support a JWK Set URI, you can configure the resource server with the Public Key used for verifying the signature of the JWT.
This can be done using the configprop:spring.security.oauth2.resourceserver.jwt.public-key-location[] property, where the value needs to point to a file containing the public key in the PEM-encoded x509 format.

The same properties are applicable for both servlet and reactive applications.
The configprop:spring.security.oauth2.resourceserver.jwt.audiences[] property can be used to specifify the expected values of the aud claim in JWTs.
For example, to require JWTs to contain an aud claim with the value `my-audience`:

[source,yaml,indent=0,subs="verbatim",configprops,configblocks]
----
spring:
security:
oauth2:
resourceserver:
jwt:
audiences:
- "my-audience"
----

The same properties are applicable for both servlet and reactive applications.
Alternatively, you can define your own `JwtDecoder` bean for servlet applications or a `ReactiveJwtDecoder` for reactive applications.

In cases where opaque tokens are used instead of JWTs, you can configure the following properties to validate tokens through introspection:
Expand All @@ -220,7 +233,6 @@ In cases where opaque tokens are used instead of JWTs, you can configure the fol
----

Again, the same properties are applicable for both servlet and reactive applications.

Alternatively, you can define your own `OpaqueTokenIntrospector` bean for servlet applications or a `ReactiveOpaqueTokenIntrospector` for reactive applications.


Expand Down

0 comments on commit 812a48e

Please sign in to comment.