Update NimbusReactiveJwtDecoder to use a reactive JwtValidator and process non-reactive JwtValidators on the BoundedElastic scheduler

Signed-off-by: Iain Henderson <Iain.henderson@mac.com>

Author: iain-henderson

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder.java

@@ -57,6 +57,7 @@
 import com.nimbusds.jwt.proc.JWTProcessor;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
+import reactor.core.scheduler.Schedulers;
 import reactor.util.function.Tuple2;
 import reactor.util.function.Tuples;
 
@@ -96,7 +97,7 @@ public final class NimbusReactiveJwtDecoder implements ReactiveJwtDecoder {
 
 	private final Converter<JWT, Mono<JWTClaimsSet>> jwtProcessor;
 
-	private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();
+	private Converter<Jwt, Mono<Jwt>> jwtValidator;
 
 	private Converter<Map<String, Object>, Map<String, Object>> claimSetConverter = MappedJwtClaimSetConverter
 		.withDefaults(Collections.emptyMap());
@@ -126,13 +127,35 @@ public NimbusReactiveJwtDecoder(RSAPublicKey publicKey) {
 	 */
 	public NimbusReactiveJwtDecoder(Converter<JWT, Mono<JWTClaimsSet>> jwtProcessor) {
 		this.jwtProcessor = jwtProcessor;
+		setJwtValidator(JwtValidators.createDefault());
 	}
 
 	/**
 	 * Use the provided {@link OAuth2TokenValidator} to validate incoming {@link Jwt}s.
 	 * @param jwtValidator the {@link OAuth2TokenValidator} to use
 	 */
 	public void setJwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
+		Assert.notNull(jwtValidator, "jwtValidator cannot be null");
+		this.jwtValidator = jwt -> Mono.fromSupplier(() -> jwtValidator.validate(jwt))
+				.subscribeOn(Schedulers.boundedElastic())
+				.handle((result, sink) -> {
+					if (result.hasErrors()) {
+						Collection<OAuth2Error> errors = result.getErrors();
+						String validationErrorString = getJwtValidationExceptionMessage(errors);
+						sink.error(new JwtValidationException(validationErrorString, errors));
+					}
+					else {
+						sink.next(jwt);
+					}
+				});
+	}
+
+	/**
+	 * Use the provided {@link Converter} to validate incoming {@link Jwt}s.
+	 * This overrides the {@link OAuth2TokenValidator}, but allows for reactive validation.
+	 * @param jwtValidator the {@link Converter} to use
+	 */
+	public void setJwtValidator(Converter<Jwt, Mono<Jwt>> jwtValidator) {
 		Assert.notNull(jwtValidator, "jwtValidator cannot be null");
 		this.jwtValidator = jwtValidator;
 	}
@@ -166,7 +189,7 @@ private Mono<Jwt> decode(JWT parsedToken) {
 			// @formatter:off
 			return this.jwtProcessor.convert(parsedToken)
 					.map((set) -> createJwt(parsedToken, set))
-					.map(this::validateJwt)
+					.flatMap(jwtValidator::convert)
 					.onErrorMap((ex) -> !(ex instanceof IllegalStateException) && !(ex instanceof JwtException),
 							(ex) -> new JwtException("An error occurred while attempting to decode the Jwt: ", ex));
 			// @formatter:on