I have an OpenID provider (openam) running locally. I am using a self-signed certificate and the jwks URL is @ https://localhost:8443/openam/oauth2/connect/
Due to the SSL certificate being self-signed, I am getting an SSLHandshake exception, when the OIDC token is decoded. I tried using a custom rest template, by creating a custom JwtDecoder (as suggested in https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2resourceserver-jwt-decoder-dsl )
@Bean
public JwtDecoder jwtDecoder() {
NimbusJwtDecoder.withJwkSetUri("https://localhost:8443/openam/oauth2/connect").restOperations(myCustomRestTemplateThatAllowsSelfSignedCerts()).build();
}
But this decoder does not seem to be used. The OidcIdTokenDecoderFactory is being used to create the decoder. This class does not seem to allow us to pass in a custom jwtDecoder.
Why does the oauthResourceServer().jwt().decoder(customDecoder()) not work? How can i get the decoder to work with a jwks URI that is a website with a self-signed certificate?
One option i am thinking of is to add the self-signed certificate to the cacerts folder of my jdk.
OAuth2LoginAuthenticationFilter is calling OidcAuthorizationCodeAuthenticationProvider for OpenID authentication. To change the JwtDecoder that it uses, you should have a JwtDecoderFactory bean.
For example, you might have something like:
@Bean
public JwtDecoderFactory<ClientRegistration> customJwtDecoderFactory() {
return new CustomJwtDecoderFactory();
}
static class CustomJwtDecoderFactory implements JwtDecoderFactory<ClientRegistration> {
public JwtDecoder createDecoder(ClientRegistration reg) {
//...
return new CustomJwtDecoder();
}
}
Hopefully this answers at least part of your question.