Make the reactive oauth stack more reactive by allowing JwtValidators in NimbusReactiveJwtDecoder to be reactive.

iain-henderson · iain-henderson · commit 8f73bbd8f981 · 2026-04-07T20:36:49.000-04:00
Signed-off-by: Iain Henderson &lt;Iain.henderson@mac.com&gt;
diff --git a/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder.java b/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder.java
@@ -96,7 +96,7 @@ public final class NimbusReactiveJwtDecoder implements ReactiveJwtDecoder {
 
 	private final Converter<JWT, Mono<JWTClaimsSet>> jwtProcessor;
 
-	private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();
+	private Converter<Jwt, Mono<Jwt>> jwtValidator;
 
 	private Converter<Map<String, Object>, Map<String, Object>> claimSetConverter = MappedJwtClaimSetConverter
 		.withDefaults(Collections.emptyMap());
@@ -302,6 +302,37 @@ private static <C extends SecurityContext> JWTClaimsSet createClaimsSet(JWTProce
 		}
 	}
 
+	/**
+	 * Use the provided {@link OAuth2TokenValidator} to validate incoming {@link Jwt}s.
+	 * @param jwtValidator the {@link OAuth2TokenValidator} to use
+	 */
+	public void setJwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
+		Assert.notNull(jwtValidator, "jwtValidator cannot be null");
+		this.jwtValidator = jwt -> Mono.fromSupplier(() -> jwtValidator.validate(jwt))
+				.subscribeOn(Schedulers.boundedElastic())
+				.handle((result, sink) -> {
+					if (result.hasErrors()) {
+						Collection<OAuth2Error> errors = result.getErrors();
+						String validationErrorString = getJwtValidationExceptionMessage(errors);
+						sink.error(new JwtValidationException(validationErrorString, errors));
+					}
+					else {
+						sink.next(jwt);
+					}
+				});
+	}
+
+	/**
+	 * Use the provided {@link Converter} to validate incoming {@link Jwt}s.
+	 * This overrides the specified OAuth2TokenValidator, but allows for a purely reactive implementation.
+	 * @param jwtValidator the {@link Converter} to use
+	 * @since 7.1
+	 */
+	public void setJwtValidator(Converter<Jwt, Mono<Jwt>> jwtValidator) {
+		Assert.notNull(jwtValidator, "jwtValidator cannot be null");
+		this.jwtValidator = jwtValidator;
+	}
+
 	/**
 	 * A builder for creating {@link NimbusReactiveJwtDecoder} instances based on a
 	 * <a target="_blank" href="https://tools.ietf.org/html/rfc7517#section-5">JWK Set</a>
