spring-projects · wilkinsona · Jun 24, 2026 · Jun 11, 2026 · Jun 24, 2026
diff --git a/.../boot/security/oauth2/server/resource/autoconfigure/ConditionalOnJwkSetUriJwtDecoder.java b/.../boot/security/oauth2/server/resource/autoconfigure/ConditionalOnJwkSetUriJwtDecoder.java
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.security.oauth2.server.resource.autoconfigure;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import org.springframework.context.annotation.Conditional;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder;
+
+/**
+ * Condition that matches when a JWK Set URI based {@link NimbusJwtDecoder} or
+ * {@link NimbusReactiveJwtDecoder} should be used.
+ *
+ * @author Andy Wilkinson
+ * @since 4.0.8
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ ElementType.TYPE, ElementType.METHOD })
+@Documented
+@Conditional(JwkSetUriCondition.class)
+public @interface ConditionalOnJwkSetUriJwtDecoder {
+
+}
diff --git a/...pringframework/boot/security/oauth2/server/resource/autoconfigure/JwkSetUriCondition.java b/...pringframework/boot/security/oauth2/server/resource/autoconfigure/JwkSetUriCondition.java
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2012-present the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.boot.security.oauth2.server.resource.autoconfigure;
+
+import org.springframework.boot.autoconfigure.condition.ConditionMessage;
+import org.springframework.boot.autoconfigure.condition.ConditionOutcome;
+import org.springframework.boot.autoconfigure.condition.SpringBootCondition;
+import org.springframework.context.annotation.ConditionContext;
+import org.springframework.core.env.Environment;
+import org.springframework.core.type.AnnotatedTypeMetadata;
+import org.springframework.util.StringUtils;
+
+/**
+ * Condition for creating a JWT decoder using a JWK Set URI.
+ *
+ * @author Vinod Kumar M
+ */
+class JwkSetUriCondition extends SpringBootCondition {
+
+	@Override
+	public ConditionOutcome getMatchOutcome(ConditionContext context, AnnotatedTypeMetadata metadata) {
+		ConditionMessage.Builder message = ConditionMessage.forCondition("JWK Set URI Condition");
+		Environment environment = context.getEnvironment();
+		String jwkSetUri = environment.getProperty("spring.security.oauth2.resourceserver.jwt.jwk-set-uri");
+		if (!StringUtils.hasText(jwkSetUri)) {
+			return ConditionOutcome.noMatch(message.didNotFind("jwk-set-uri property").atAll());
+		}
+		return ConditionOutcome.match(message.foundExactly("jwk-set-uri property"));
+	}
+
+}
diff --git a/.../server/resource/autoconfigure/reactive/ReactiveOAuth2ResourceServerJwtConfiguration.java b/.../server/resource/autoconfigure/reactive/ReactiveOAuth2ResourceServerJwtConfiguration.java
@@ -35,6 +35,7 @@
 import org.springframework.boot.context.properties.PropertyMapper;
 import org.springframework.boot.context.properties.source.InvalidConfigurationPropertyValueException;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.ConditionalOnIssuerLocationJwtDecoder;
+import org.springframework.boot.security.oauth2.server.resource.autoconfigure.ConditionalOnJwkSetUriJwtDecoder;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.ConditionalOnPublicKeyJwtDecoder;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.OAuth2ResourceServerProperties;
 import org.springframework.context.annotation.Bean;
@@ -92,7 +93,7 @@ static class JwtConfiguration {
 		}
 
 		@Bean
-		@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri")
+		@ConditionalOnJwkSetUriJwtDecoder
 		ReactiveJwtDecoder jwtDecoder(ObjectProvider<JwkSetUriReactiveJwtDecoderBuilderCustomizer> customizers) {
 			String jwkSetUri = this.properties.getJwkSetUri();
 			Assert.state(jwkSetUri != null, "'jwkSetUri' must not be null");

diff --git a/...ty/oauth2/server/resource/autoconfigure/servlet/OAuth2ResourceServerJwtConfiguration.java b/...ty/oauth2/server/resource/autoconfigure/servlet/OAuth2ResourceServerJwtConfiguration.java
@@ -36,6 +36,7 @@
 import org.springframework.boot.context.properties.source.InvalidConfigurationPropertyValueException;
 import org.springframework.boot.security.autoconfigure.web.servlet.ConditionalOnDefaultWebSecurity;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.ConditionalOnIssuerLocationJwtDecoder;
+import org.springframework.boot.security.oauth2.server.resource.autoconfigure.ConditionalOnJwkSetUriJwtDecoder;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.ConditionalOnPublicKeyJwtDecoder;
 import org.springframework.boot.security.oauth2.server.resource.autoconfigure.OAuth2ResourceServerProperties;
 import org.springframework.context.annotation.Bean;
@@ -92,7 +93,7 @@ static class JwtDecoderConfiguration {
 		}
 
 		@Bean
-		@ConditionalOnProperty(name = "spring.security.oauth2.resourceserver.jwt.jwk-set-uri")
+		@ConditionalOnJwkSetUriJwtDecoder
 		JwtDecoder jwtDecoderByJwkKeySetUri(ObjectProvider<JwkSetUriJwtDecoderBuilderCustomizer> customizers) {
 			JwkSetUriJwtDecoderBuilder builder = NimbusJwtDecoder.withJwkSetUri(this.properties.getJwkSetUri())
 				.jwsAlgorithms(this::jwsAlgorithms);

diff --git a/...r/resource/autoconfigure/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java b/...r/resource/autoconfigure/reactive/ReactiveOAuth2ResourceServerAutoConfigurationTests.java
@@ -444,6 +444,18 @@ void autoConfigurationWhenJwkSetUriAndIntrospectionUriAvailable() {
 			});
 	}
 
+	@Test
+	void autoConfigurationWhenIssuerUriPresentAndJwkSetUriEmptyShouldUseIssuerUri() {
+		this.contextRunner
+			.withPropertyValues("spring.security.oauth2.resourceserver.jwt.issuer-uri=https://issuer-uri.com",
+					"spring.security.oauth2.resourceserver.jwt.jwk-set-uri=")
+			.run((context) -> {
+				assertThat(context).hasSingleBean(ReactiveJwtDecoder.class);
+				assertThat(context.containsBean("jwtDecoder")).isFalse();
+				assertThat(context.containsBean("jwtDecoderByIssuerUri")).isTrue();
+			});
+	}
+
 	@Test
 	void opaqueTokenIntrospectorIsConditionalOnMissingBean() {
 		this.contextRunner

diff --git a/...th2/server/resource/autoconfigure/servlet/OAuth2ResourceServerAutoConfigurationTests.java b/...th2/server/resource/autoconfigure/servlet/OAuth2ResourceServerAutoConfigurationTests.java
@@ -363,6 +363,18 @@ void autoConfigurationWhenSetUriKeyLocationAndIssuerUriPresentShouldUseSetUri()
 			});
 	}
 
+	@Test
+	void autoConfigurationWhenIssuerUriPresentAndJwkSetUriEmptyShouldUseIssuerUri() {
+		this.contextRunner
+			.withPropertyValues("spring.security.oauth2.resourceserver.jwt.issuer-uri=https://issuer-uri.com",
+					"spring.security.oauth2.resourceserver.jwt.jwk-set-uri=")
+			.run((context) -> {
+				assertThat(context).hasSingleBean(JwtDecoder.class);
+				assertThat(context.containsBean("jwtDecoderByJwkKeySetUri")).isFalse();
+				assertThat(context.containsBean("jwtDecoderByIssuerUri")).isTrue();
+			});
+	}
+
 	@Test
 	void autoConfigurationWhenKeyLocationAndIssuerUriPresentShouldUseIssuerUri() throws Exception {
 		this.server = new MockWebServer();