Skip to content

Inconsistent handling of empty string values of spring.security.oauth2.resourceserver.jwt issuer-uri and jwk-set-uri#50755

Merged
wilkinsona merged 2 commits into
spring-projects:4.0.xfrom
codingkiddo:fix/empty-jwk-set-uri-condition
Jun 24, 2026
Merged

Inconsistent handling of empty string values of spring.security.oauth2.resourceserver.jwt issuer-uri and jwk-set-uri#50755
wilkinsona merged 2 commits into
spring-projects:4.0.xfrom
codingkiddo:fix/empty-jwk-set-uri-condition

Conversation

@codingkiddo

@codingkiddo codingkiddo commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

Fixes gh-50753

This updates JWT decoder auto-configuration so that an empty
spring.security.oauth2.resourceserver.jwt.jwk-set-uri value is treated as
absent.

Previously, the JWK Set URI based decoder could be created when the property was
present but empty. When issuer-uri was also configured, this could result in
both the JWK Set URI based decoder and the issuer-uri based decoder being
created.

A regression test has been added for the case where issuer-uri is configured
and jwk-set-uri is present with an empty value.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 11, 2026
@priyanshuvishwakarma273403

This comment was marked as outdated.

Sign in to view
@philwebb

This comment was marked as outdated.

Sign in to view
@wilkinsona wilkinsona changed the title Treat empty JWK Set URI as absent Inconsistent handling of empty string values of spring.security.oauth2.resourceserver.jwt issuer-uri and jwk-set-uri Jun 24, 2026
@wilkinsona wilkinsona mentioned this pull request Jun 24, 2026
Closed
@wilkinsona wilkinsona added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 24, 2026
@wilkinsona wilkinsona added this to the 4.0.x milestone Jun 24, 2026
@wilkinsona wilkinsona self-assigned this Jun 24, 2026
@codingkiddo @wilkinsona
Treat empty JWK Set URI as absent
8eb3b03 
Signed-off-by: Vinod Kumar <codingkiddo@gmail.com>

See spring-projectsgh-50755
@wilkinsona wilkinsona changed the base branch from main to 4.0.x June 24, 2026 16:46
@wilkinsona wilkinsona force-pushed the fix/empty-jwk-set-uri-condition branch from 2376887 to 4eeac6a Compare June 24, 2026 16:46
wilkinsona added a commit to codingkiddo/spring-boot that referenced this pull request Jun 24, 2026
@wilkinsona
Polish "Treat empty JWK Set URI as absent"
4eeac6a 
See spring-projectsgh-50755
@wilkinsona
Polish "Treat empty JWK Set URI as absent"
a495492 
See spring-projectsgh-50755

Signed-off-by: Andy Wilkinson <andy.wilkinson@broadcom.com>
@wilkinsona wilkinsona force-pushed the fix/empty-jwk-set-uri-condition branch from 4eeac6a to a495492 Compare June 24, 2026 16:48
@wilkinsona wilkinsona mentioned this pull request Jun 24, 2026
Closed
@wilkinsona wilkinsona modified the milestones: 4.0.x, 4.0.8 Jun 24, 2026
@wilkinsona wilkinsona merged commit 4fe692e into spring-projects:4.0.x Jun 24, 2026
4 checks passed
@wilkinsona

wilkinsona commented Jun 24, 2026

Copy link
Copy Markdown
Member

Thank you, @codingkiddo!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@wilkinsona wilkinsona

Labels

type: bug A general bug

Projects

None yet

Milestone

4.0.8

Development

Successfully merging this pull request may close these issues.

Inconsistent configuration of jwk-set-uri and issuer-uri

5 participants

@codingkiddo @priyanshuvishwakarma273403 @philwebb @wilkinsona @spring-projects-issues