enhancement for NimbusJwtEncoder to supporting key rotation

douxf · douxf · commit 361347f64b40 · 2025-02-05T09:25:05.000+08:00
close 16170
diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoder.java
@@ -111,7 +111,8 @@ private JWK selectJwk(JwsHeader headers) {
 		try {
 			JWKSelector jwkSelector = new JWKSelector(createJwkMatcher(headers));
 			jwks = this.jwkSource.get(jwkSelector, null);
-		} catch (Exception ex) {
+		}
+		catch (Exception ex) {
 			throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE,
 					"Failed to select a JWK signing key -> " + ex.getMessage()), ex);
 		}
@@ -139,7 +140,8 @@ private String serialize(JwsHeader headers, JwtClaimsSet claims, JWK jwk) {
 		SignedJWT signedJwt = new SignedJWT(jwsHeader, jwtClaimsSet);
 		try {
 			signedJwt.sign(jwsSigner);
-		} catch (JOSEException ex) {
+		}
+		catch (JOSEException ex) {
 			throw new JwtEncodingException(
 					String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to sign the JWT -> " + ex.getMessage()), ex);
 		}
@@ -159,7 +161,8 @@ private static JWKMatcher createJwkMatcher(JwsHeader headers) {
 					.x509CertSHA256Thumbprint(Base64URL.from(headers.getX509SHA256Thumbprint()))
 					.build();
 			// @formatter:on
-		} else if (JWSAlgorithm.Family.HMAC_SHA.contains(jwsAlgorithm)) {
+		}
+		else if (JWSAlgorithm.Family.HMAC_SHA.contains(jwsAlgorithm)) {
 			// @formatter:off
 			return new JWKMatcher.Builder()
 					.keyType(KeyType.forAlgorithm(jwsAlgorithm))
@@ -197,7 +200,8 @@ private static JwsHeader addKeyIdentifierHeadersIfNecessary(JwsHeader headers, J
 	private static JWSSigner createSigner(JWK jwk) {
 		try {
 			return JWS_SIGNER_FACTORY.createJWSSigner(jwk);
-		} catch (JOSEException ex) {
+		}
+		catch (JOSEException ex) {
 			throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE,
 					"Failed to create a JWS Signer -> " + ex.getMessage()), ex);
 		}
@@ -214,7 +218,8 @@ private static JWSHeader convert(JwsHeader headers) {
 		if (!CollectionUtils.isEmpty(jwk)) {
 			try {
 				builder.jwk(JWK.parse(jwk));
-			} catch (Exception ex) {
+			}
+			catch (Exception ex) {
 				throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE,
 						"Unable to convert '" + JoseHeaderNames.JWK + "' JOSE header"), ex);
 			}
@@ -331,7 +336,8 @@ private static JWTClaimsSet convert(JwtClaimsSet claims) {
 	private static URI convertAsURI(String header, URL url) {
 		try {
 			return url.toURI();
-		} catch (Exception ex) {
+		}
+		catch (Exception ex) {
 			throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE,
 					"Unable to convert '" + header + "' JOSE header to a URI"), ex);
 		}
diff --git a/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoderTests.java b/oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtEncoderTests.java
@@ -108,7 +108,7 @@ public void encodeWhenJwkSelectFailedThenThrowJwtEncodingException() throws Exce
 	}
 
 	@Test
-	public void encodeWhenJwkMultipleSelectedThenThrowJwtEncodingException() throws Exception {
+	public void encodeWhenJwkMultipleSelectedThenThrowJwtEncodingException() {
 		RSAKey rsaJwk = TestJwks.DEFAULT_RSA_JWK;
 		this.jwkList.add(rsaJwk);
 		this.jwkList.add(rsaJwk);
@@ -122,7 +122,7 @@ public void encodeWhenJwkMultipleSelectedThenThrowJwtEncodingException() throws
 	}
 
 	@Test
-	public void encodeWhenJwkMultipleSelectedWithJwkSelector() throws Exception {
+	public void encodeWhenJwkMultipleSelectedWithJwkSelector() {
 		RSAKey rsaJwk = TestJwks.DEFAULT_RSA_JWK;
 		this.jwkList.add(rsaJwk);
 		this.jwkList.add(rsaJwk);
@@ -131,17 +131,16 @@ public void encodeWhenJwkMultipleSelectedWithJwkSelector() throws Exception {
 		JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256).build();
 		JwtClaimsSet jwtClaimsSet = TestJwtClaimsSets.jwtClaimsSet().build();
 
-		Jwt encodedJws = this.jwtEncoder.encode(JwtEncoderParameters.from(jwtClaimsSet));
+		Jwt encodedJws = this.jwtEncoder.encode(JwtEncoderParameters.from(jwsHeader,jwtClaimsSet));
 		assertThat(encodedJws.getHeaders()).containsEntry(JoseHeaderNames.ALG, SignatureAlgorithm.RS256);
 
-		this.jwtEncoder.setJwkSelector(jwkSelector -> jwkSelector.get(jwkSelector.size()-1));
-		 jwtClaimsSet = TestJwtClaimsSets.jwtClaimsSet().build();
-		 encodedJws = this.jwtEncoder.encode(JwtEncoderParameters.from(jwtClaimsSet));
+		this.jwtEncoder.setJwkSelector(jwkSelector -> jwkSelector.get(jwkSelector.size() - 1));
+		jwtClaimsSet = TestJwtClaimsSets.jwtClaimsSet().build();
+		encodedJws = this.jwtEncoder.encode(JwtEncoderParameters.from(jwtClaimsSet));
 		assertThat(encodedJws.getHeaders()).containsEntry(JoseHeaderNames.ALG, SignatureAlgorithm.RS256);
 		this.jwtEncoder.setJwkSelector(null);
 	}
 
-
 	@Test
 	public void encodeWhenJwkSelectEmptyThenThrowJwtEncodingException() {
 		JwsHeader jwsHeader = JwsHeader.with(SignatureAlgorithm.RS256).build();
