Simplify at+jwt validation

[jzheaux]

at+jwt validation was added in 6.x, and it would be nice if this were the simplest validation method to add, given that it is a standard for JWT validation.

Some ways to achieve this are:

• Add Nimbus(Reactive)JwtDecoder builders that adhere to RFC 9068
• Add Nimbus(Reactive)AtJwtDecoder implmentations that adhere to RFC 9068

This may require deprecating Nimbus(Reactive)JwtDecoder or some of their builders.

The DSL should also be considered. Perhaps something like:

oauth2ResourceServer((oauth2) -> oauth2
    .atJwt()
        .issuer(...)
        .audience(...)
)

Note that this ticket remains a work in progress and is not ideal for contribution at this time.

[gbaso]

I would love to see this functionality, but I feel that at the moment the at+jwt validator (built from AtJwtBuilder) is unnecessarily stringent. Specifically, the builder requires you to specify a single client_id, and access tokens issued to other clients will be rejected. RFC 9068 does require that client_id is present, but if I'm interpreting it correctly it is not required that it has to be a specific value, or that a resource server can only accept a specific value.

In fact, for the client_credentials flow, it is perfectly normal to have multiple clients with distinct client_ids that obtain tokens from the same issuer, and to then call the same resource server. For example, different departments using the corporate issuer with different scopes. Such client_ids would change over time and not be known to the resource server beforehand.

On the other hand, one could implement their own validator without this issue, but AtJwtBuilder does a lot of heavy lifting and it would be disappointing to not be able to rely on it.

[jzheaux]

Hi, @gbaso, thanks for the insight about AtJwtBuilder. Perhaps there should be a separate ticket that sets checking for client_id's existence as the default, e.g., the constructor could add:

this.validators.put("client_id", require("client_id"));

This could then be optionally replaced by calling the clientId builder method, but would not be required.

Would you be interested in submitting a PR to relax that requirement or opening an issue if you feel there is more to be discussed?

In the meantime, note that you can specify something more lenient yourself already by calling the validators method on the builder.

[gbaso]

@jzheaux I have opened #18890 to address the proposed changes.