From 13f9344c0d038baed219ee24576622b8299a0b85 Mon Sep 17 00:00:00 2001
From: Stanislav Deviatykh <stanislav@qminder.com>
Date: Fri, 3 Oct 2025 13:40:17 +0300
Subject: [PATCH 1/2] feat: add jwtDecoderCustomizer to
 McpServerOAuth2Configurer

---
 .../server/config/McpServerOAuth2Configurer.java   | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/mcp-server-security/src/main/java/org/springaicommunity/mcp/security/server/config/McpServerOAuth2Configurer.java b/mcp-server-security/src/main/java/org/springaicommunity/mcp/security/server/config/McpServerOAuth2Configurer.java
index 86fbc84..51077e1 100644
--- a/mcp-server-security/src/main/java/org/springaicommunity/mcp/security/server/config/McpServerOAuth2Configurer.java
+++ b/mcp-server-security/src/main/java/org/springaicommunity/mcp/security/server/config/McpServerOAuth2Configurer.java
@@ -54,6 +54,8 @@ public class McpServerOAuth2Configurer extends AbstractHttpConfigurer<McpServerO
 
 	private boolean validateAudienceClaim = false;
 
+	private Consumer<NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder> jwtDecoderCustomizer = null;
+
 	public McpServerOAuth2Configurer authorizationServer(String issuerUri) {
 		this.issuerUri = issuerUri;
 		return this;
@@ -90,6 +92,11 @@ public McpServerOAuth2Configurer validateAudienceClaim(boolean validateAudienceC
 		return this;
 	}
 
+	public McpServerOAuth2Configurer jwtDecoderCustomizer(Consumer<NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder> jwtDecoderCustomizer) {
+		this.jwtDecoderCustomizer = jwtDecoderCustomizer;
+		return this;
+	}
+
 	@Override
 	public void init(HttpSecurity http) throws Exception {
 		Assert.notNull(this.issuerUri, "authorizationServer cannot be null");
@@ -113,7 +120,12 @@ public void init(HttpSecurity http) throws Exception {
 	}
 
 	private JwtDecoder getJwtDecoder(HttpSecurity http) {
-		var decoder = NimbusJwtDecoder.withIssuerLocation(this.issuerUri).build();
+		var builder = NimbusJwtDecoder.withIssuerLocation(this.issuerUri);
+		if (this.jwtDecoderCustomizer != null) {
+			this.jwtDecoderCustomizer.accept(builder);
+		}
+
+		var decoder = builder.build();
 
 		if (this.validateAudienceClaim) {
 			OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators

From 937acc57e7b5e80b5a75d5685f1f357da463c27d Mon Sep 17 00:00:00 2001
From: Stanislav Deviatykh <stanislav@qminder.com>
Date: Sat, 4 Oct 2025 11:47:04 +0300
Subject: [PATCH 2/2] Add jwtDecoder

---
 .../config/McpServerOAuth2Configurer.java     | 20 +++++++++----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/mcp-server-security/src/main/java/org/springaicommunity/mcp/security/server/config/McpServerOAuth2Configurer.java b/mcp-server-security/src/main/java/org/springaicommunity/mcp/security/server/config/McpServerOAuth2Configurer.java
index 51077e1..8134196 100644
--- a/mcp-server-security/src/main/java/org/springaicommunity/mcp/security/server/config/McpServerOAuth2Configurer.java
+++ b/mcp-server-security/src/main/java/org/springaicommunity/mcp/security/server/config/McpServerOAuth2Configurer.java
@@ -54,7 +54,7 @@ public class McpServerOAuth2Configurer extends AbstractHttpConfigurer<McpServerO
 
 	private boolean validateAudienceClaim = false;
 
-	private Consumer<NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder> jwtDecoderCustomizer = null;
+	private NimbusJwtDecoder decoder = null;
 
 	public McpServerOAuth2Configurer authorizationServer(String issuerUri) {
 		this.issuerUri = issuerUri;
@@ -92,8 +92,8 @@ public McpServerOAuth2Configurer validateAudienceClaim(boolean validateAudienceC
 		return this;
 	}
 
-	public McpServerOAuth2Configurer jwtDecoderCustomizer(Consumer<NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder> jwtDecoderCustomizer) {
-		this.jwtDecoderCustomizer = jwtDecoderCustomizer;
+	public McpServerOAuth2Configurer jwtDecoder(NimbusJwtDecoder decoder) {
+		this.decoder = decoder;
 		return this;
 	}
 
@@ -108,24 +108,22 @@ public void init(HttpSecurity http) throws Exception {
 			.setProtectedResourceMetadataCustomizer(getProtectedMetadataCustomizer());
 
 		var entryPoint = new BearerResourceMetadataTokenAuthenticationEntryPoint(this.resourceIdentifier);
+		var jwtDecoder = buildJwtDecoder();
 
 		//@formatter:off
 		http
 				.oauth2ResourceServer(resourceServer -> {
-					resourceServer.jwt(jwt -> jwt.decoder(getJwtDecoder(http)));
+					resourceServer.jwt(jwt -> jwt.decoder(jwtDecoder));
 					resourceServer.authenticationEntryPoint(entryPoint);
 				})
 				.addFilterBefore(protectedResourceMetadataEndpointFilter, AbstractPreAuthenticatedProcessingFilter.class);
 		//@formatter:on
 	}
 
-	private JwtDecoder getJwtDecoder(HttpSecurity http) {
-		var builder = NimbusJwtDecoder.withIssuerLocation(this.issuerUri);
-		if (this.jwtDecoderCustomizer != null) {
-			this.jwtDecoderCustomizer.accept(builder);
-		}
-
-		var decoder = builder.build();
+	private JwtDecoder buildJwtDecoder() {
+		var decoder = this.decoder != null
+			? this.decoder
+			: NimbusJwtDecoder.withIssuerLocation(this.issuerUri).build();
 
 		if (this.validateAudienceClaim) {
 			OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators