Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Deprecated Usages of RemoteJWKSet #16296

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Remove Deprecated Usages of RemoteJWKSet #16296

wants to merge 6 commits into from

Conversation

kwondh5217
Copy link

close gh-16251

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 17, 2024
@kwondh5217 kwondh5217 changed the title Remove Deprecated Usages of RemoteJWKSet gh-16251 Remove Deprecated Usages of RemoteJWKSet Jan 7, 2025
@jzheaux jzheaux self-assigned this Jan 16, 2025
jzheaux
jzheaux requested changes Jan 16, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @kwondh5217, for the PR! I've left some feedback inline.

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java
private static final class SpringJWKSetCache implements JWKSetCache {
private static final class SpringURLBasedJWKSource<C extends SecurityContext> implements JWKSource<C> {

private final URLBasedJWKSetSource urlBasedJWKSetSource;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we are doing our own implementation of JWKSource, it should be possible to use RestOperations and Cache directly instead of implementing additional Nimbus interfaces.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jzheaux, I have a couple of questions regarding the feedback:

  1. Regarding "Since we are doing our own implementation of JWKSource, it should be possible to use RestOperations and Cache directly instead of implementing additional Nimbus interfaces":

    Does this mean we should replace the custom SpringJWKSetCache implementation with direct usage of Spring's Cache?

  2. I am also considering whether to streamline the code by either:

    • Using RestOperations directly, or
    • Using RestOperationsResourceRetriever

Below are the two possible approaches:

  • Direct RestOperations:

    private static final class SpringURLBasedJWKSource<C extends SecurityContext> implements JWKSource<C> {

    private final RestOperations restOperations;

    // Implementation logic uses restOperations directly
}

  • Using ResourceRetriever:

    private static final class SpringURLBasedJWKSource<C extends SecurityContext> implements JWKSource<C> {

    private final ResourceRetriever resourceRetriever;

    // Implementation logic continues to leverage resourceRetriever
}

Would it be better to reuse the already implemented RestOperationsResourceRetriever, or to use RestOperations directly within the class?

If we go with the direct RestOperations approach, should the RestOperationsResourceRetriever implementation be removed entirely?

Thank you for your feedback!

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java
if (this.cache == null) {
return new RemoteJWKSet<>(toURL(jwkSetUri), jwkSetRetriever);
URLBasedJWKSetSource urlBasedJWKSetSource = new URLBasedJWKSetSource(toURL(jwkSetUri), jwkSetRetriever);
if(this.cache == null) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's update this so that the member variable is set to NoOpCache. In this way, the null checking here and downstream is unnecessary.

@jzheaux jzheaux added type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 16, 2025
@jzheaux jzheaux changed the title gh-16251 Remove Deprecated Usages of RemoteJWKSet Remove Deprecated Usages of RemoteJWKSet Jan 16, 2025
holzerch
holzerch reviewed Jan 17, 2025
View reviewed changes
oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java
if (this.jwkSetCache != null) {
JWKSet jwkSet = this.jwkSetCache.get();
if (this.jwkSetCache.requiresRefresh() || jwkSet == null) {
synchronized (this) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please replace this synchronized statement with an ReentrantLock. Otherwise this could cause thread pinning with virtual threads.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@holzerch Thank you for the feedback!
I’ll replace the synchronized block with a ReentrantLock as suggested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@holzerch holzerch holzerch left review comments

@jzheaux jzheaux jzheaux requested changes

Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove Deprecated Usages of RemoteJWKSet
4 participants
@kwondh5217 @jzheaux @holzerch @spring-projects-issues