Enabled all *JwtDecoderBuilders to set a custom JWT validator

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoders.java

@@ -89,9 +89,8 @@ public static <T extends JwtDecoder> T fromOidcIssuerLocation(String oidcIssuerL
 	@SuppressWarnings("unchecked")
 	public static <T extends JwtDecoder> T fromIssuerLocation(String issuer) {
 		Assert.hasText(issuer, "issuer cannot be empty");
-		NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer).build();
 		OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefaultWithIssuer(issuer);
-		jwtDecoder.setJwtValidator(jwtValidator);
+		NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer).jwtValidator(jwtValidator).build();
 		return (T) jwtDecoder;
 	}
 
@@ -110,10 +109,9 @@ private static JwtDecoder withProviderConfiguration(Map<String, Object> configur
 		JwtDecoderProviderConfigurationUtils.validateIssuer(configuration, issuer);
 		OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefaultWithIssuer(issuer);
 		String jwkSetUri = configuration.get("jwks_uri").toString();
-		NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri)
-				.jwtProcessorCustomizer(JwtDecoderProviderConfigurationUtils::addJWSAlgorithms).build();
-		jwtDecoder.setJwtValidator(jwtValidator);
-		return jwtDecoder;
+		return NimbusJwtDecoder.withJwkSetUri(jwkSetUri)
+				.jwtProcessorCustomizer(JwtDecoderProviderConfigurationUtils::addJWSAlgorithms)
+				.jwtValidator(jwtValidator).build();
 	}
 
 }

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java

@@ -274,6 +274,8 @@ public static final class JwkSetUriJwtDecoderBuilder {
 
 		private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;
 
+		private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();
+
 		private JwkSetUriJwtDecoderBuilder(String jwkSetUri) {
 			Assert.hasText(jwkSetUri, "jwkSetUri cannot be empty");
 			this.jwkSetUri = (rest) -> jwkSetUri;
@@ -394,12 +396,26 @@ JWTProcessor<SecurityContext> processor() {
 			return jwtProcessor;
 		}
 
+		/**
+		 * Configure the built {@link NimbusJwtDecoder} to use the given
+		 * {@link OAuth2TokenValidator} when validating incoming {@link Jwt}s.
+		 * @param jwtValidator the {@link OAuth2TokenValidator} to use
+		 * @return a {@link JwkSetUriJwtDecoderBuilder} for further configurations
+		 */
+		public JwkSetUriJwtDecoderBuilder jwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
+			Assert.notNull(jwtValidator, "jwtValidator cannot be null");
+			this.jwtValidator = jwtValidator;
+			return this;
+		}
+
 		/**
 		 * Build the configured {@link NimbusJwtDecoder}.
 		 * @return the configured {@link NimbusJwtDecoder}
 		 */
 		public NimbusJwtDecoder build() {
-			return new NimbusJwtDecoder(processor());
+			NimbusJwtDecoder jwtDecoder = new NimbusJwtDecoder(processor());
+			jwtDecoder.setJwtValidator(this.jwtValidator);
+			return jwtDecoder;
 		}
 
 		private static URL toURL(String url) {
@@ -504,6 +520,8 @@ public static final class PublicKeyJwtDecoderBuilder {
 
 		private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;
 
+		private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();
+
 		private PublicKeyJwtDecoderBuilder(RSAPublicKey key) {
 			Assert.notNull(key, "key cannot be null");
 			this.jwsAlgorithm = JWSAlgorithm.RS256;
@@ -558,12 +576,26 @@ JWTProcessor<SecurityContext> processor() {
 			return jwtProcessor;
 		}
 
+		/**
+		 * Configure the built {@link NimbusJwtDecoder} to use the given
+		 * {@link OAuth2TokenValidator} when validating incoming {@link Jwt}s.
+		 * @param jwtValidator the {@link OAuth2TokenValidator} to use
+		 * @return a {@link PublicKeyJwtDecoderBuilder} for further configurations
+		 */
+		public PublicKeyJwtDecoderBuilder jwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
+			Assert.notNull(jwtValidator, "jwtValidator cannot be null");
+			this.jwtValidator = jwtValidator;
+			return this;
+		}
+
 		/**
 		 * Build the configured {@link NimbusJwtDecoder}.
 		 * @return the configured {@link NimbusJwtDecoder}
 		 */
 		public NimbusJwtDecoder build() {
-			return new NimbusJwtDecoder(processor());
+			NimbusJwtDecoder jwtDecoder = new NimbusJwtDecoder(processor());
+			jwtDecoder.setJwtValidator(this.jwtValidator);
+			return jwtDecoder;
 		}
 
 	}
@@ -580,6 +612,8 @@ public static final class SecretKeyJwtDecoderBuilder {
 
 		private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;
 
+		private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();
+
 		private SecretKeyJwtDecoderBuilder(SecretKey secretKey) {
 			Assert.notNull(secretKey, "secretKey cannot be null");
 			this.secretKey = secretKey;
@@ -619,12 +653,26 @@ public SecretKeyJwtDecoderBuilder jwtProcessorCustomizer(
 			return this;
 		}
 
+		/**
+		 * Configure the built {@link NimbusJwtDecoder} to use the given
+		 * {@link OAuth2TokenValidator} when validating incoming {@link Jwt}s.
+		 * @param jwtValidator the {@link OAuth2TokenValidator} to use
+		 * @return a {@link SecretKeyJwtDecoderBuilder} for further configurations
+		 */
+		public SecretKeyJwtDecoderBuilder jwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
+			Assert.notNull(jwtValidator, "jwtValidator cannot be null");
+			this.jwtValidator = jwtValidator;
+			return this;
+		}
+
 		/**
 		 * Build the configured {@link NimbusJwtDecoder}.
 		 * @return the configured {@link NimbusJwtDecoder}
 		 */
 		public NimbusJwtDecoder build() {
-			return new NimbusJwtDecoder(processor());
+			NimbusJwtDecoder jwtDecoder = new NimbusJwtDecoder(processor());
+			jwtDecoder.setJwtValidator(this.jwtValidator);
+			return jwtDecoder;
 		}
 
 		JWTProcessor<SecurityContext> processor() {

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusReactiveJwtDecoder.java

@@ -320,6 +320,8 @@ public static final class JwkSetUriReactiveJwtDecoderBuilder {
 
 		private BiFunction<ReactiveRemoteJWKSource, ConfigurableJWTProcessor<JWKSecurityContext>, Mono<ConfigurableJWTProcessor<JWKSecurityContext>>> jwtProcessorCustomizer;
 
+		private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();
+
 		private JwkSetUriReactiveJwtDecoderBuilder(String jwkSetUri) {
 			Assert.hasText(jwkSetUri, "jwkSetUri cannot be empty");
 			this.jwkSetUri = (web) -> Mono.just(jwkSetUri);
@@ -402,12 +404,26 @@ JwkSetUriReactiveJwtDecoderBuilder jwtProcessorCustomizer(
 			return this;
 		}
 
+		/**
+		 * Configure the built {@link NimbusReactiveJwtDecoder} to use the given
+		 * {@link OAuth2TokenValidator} when validating incoming {@link Jwt}s.
+		 * @param jwtValidator the {@link OAuth2TokenValidator} to use
+		 * @return a {@link JwkSetUriReactiveJwtDecoderBuilder} for further configurations
+		 */
+		public JwkSetUriReactiveJwtDecoderBuilder jwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
+			Assert.notNull(jwtValidator, "jwtValidator cannot be null");
+			this.jwtValidator = jwtValidator;
+			return this;
+		}
+
 		/**
 		 * Build the configured {@link NimbusReactiveJwtDecoder}.
 		 * @return the configured {@link NimbusReactiveJwtDecoder}
 		 */
 		public NimbusReactiveJwtDecoder build() {
-			return new NimbusReactiveJwtDecoder(processor());
+			NimbusReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(processor());
+			jwtDecoder.setJwtValidator(this.jwtValidator);
+			return jwtDecoder;
 		}
 
 		Mono<JWSKeySelector<JWKSecurityContext>> jwsKeySelector(ReactiveRemoteJWKSource source) {
@@ -480,6 +496,8 @@ public static final class PublicKeyReactiveJwtDecoderBuilder {
 
 		private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;
 
+		private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();
+
 		private PublicKeyReactiveJwtDecoderBuilder(RSAPublicKey key) {
 			Assert.notNull(key, "key cannot be null");
 			this.key = key;
@@ -518,12 +536,26 @@ public PublicKeyReactiveJwtDecoderBuilder jwtProcessorCustomizer(
 			return this;
 		}
 
+		/**
+		 * Configure the built {@link NimbusReactiveJwtDecoder} to use the given
+		 * {@link OAuth2TokenValidator} when validating incoming {@link Jwt}s.
+		 * @param jwtValidator the {@link OAuth2TokenValidator} to use
+		 * @return a {@link PublicKeyReactiveJwtDecoderBuilder} for further configurations
+		 */
+		public PublicKeyReactiveJwtDecoderBuilder jwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
+			Assert.notNull(jwtValidator, "jwtValidator cannot be null");
+			this.jwtValidator = jwtValidator;
+			return this;
+		}
+
 		/**
 		 * Build the configured {@link NimbusReactiveJwtDecoder}.
 		 * @return the configured {@link NimbusReactiveJwtDecoder}
 		 */
 		public NimbusReactiveJwtDecoder build() {
-			return new NimbusReactiveJwtDecoder(processor());
+			NimbusReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(processor());
+			jwtDecoder.setJwtValidator(this.jwtValidator);
+			return jwtDecoder;
 		}
 
 		Converter<JWT, Mono<JWTClaimsSet>> processor() {
@@ -556,6 +588,8 @@ public static final class SecretKeyReactiveJwtDecoderBuilder {
 
 		private Consumer<ConfigurableJWTProcessor<SecurityContext>> jwtProcessorCustomizer;
 
+		private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();
+
 		private SecretKeyReactiveJwtDecoderBuilder(SecretKey secretKey) {
 			Assert.notNull(secretKey, "secretKey cannot be null");
 			this.secretKey = secretKey;
@@ -595,12 +629,26 @@ public SecretKeyReactiveJwtDecoderBuilder jwtProcessorCustomizer(
 			return this;
 		}
 
+		/**
+		 * Configure the built {@link NimbusReactiveJwtDecoder} to use the given
+		 * {@link OAuth2TokenValidator} when validating incoming {@link Jwt}s.
+		 * @param jwtValidator the {@link OAuth2TokenValidator} to use
+		 * @return a {@link SecretKeyReactiveJwtDecoderBuilder} for further configurations
+		 */
+		public SecretKeyReactiveJwtDecoderBuilder jwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
+			Assert.notNull(jwtValidator, "jwtValidator cannot be null");
+			this.jwtValidator = jwtValidator;
+			return this;
+		}
+
 		/**
 		 * Build the configured {@link NimbusReactiveJwtDecoder}.
 		 * @return the configured {@link NimbusReactiveJwtDecoder}
 		 */
 		public NimbusReactiveJwtDecoder build() {
-			return new NimbusReactiveJwtDecoder(processor());
+			NimbusReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(processor());
+			jwtDecoder.setJwtValidator(this.jwtValidator);
+			return jwtDecoder;
 		}
 
 		Converter<JWT, Mono<JWTClaimsSet>> processor() {
@@ -630,6 +678,8 @@ public static final class JwkSourceReactiveJwtDecoderBuilder {
 
 		private Consumer<ConfigurableJWTProcessor<JWKSecurityContext>> jwtProcessorCustomizer;
 
+		private OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefault();
+
 		private JwkSourceReactiveJwtDecoderBuilder(Function<SignedJWT, Flux<JWK>> jwkSource) {
 			Assert.notNull(jwkSource, "jwkSource cannot be null");
 			this.jwkSource = jwkSource;
@@ -665,12 +715,26 @@ public JwkSourceReactiveJwtDecoderBuilder jwtProcessorCustomizer(
 			return this;
 		}
 
+		/**
+		 * Configure the built {@link NimbusReactiveJwtDecoder} to use the given
+		 * {@link OAuth2TokenValidator} when validating incoming {@link Jwt}s.
+		 * @param jwtValidator the {@link OAuth2TokenValidator} to use
+		 * @return a {@link JwkSourceReactiveJwtDecoderBuilder} for further configurations
+		 */
+		public JwkSourceReactiveJwtDecoderBuilder jwtValidator(OAuth2TokenValidator<Jwt> jwtValidator) {
+			Assert.notNull(jwtValidator, "jwtValidator cannot be null");
+			this.jwtValidator = jwtValidator;
+			return this;
+		}
+
 		/**
 		 * Build the configured {@link NimbusReactiveJwtDecoder}.
 		 * @return the configured {@link NimbusReactiveJwtDecoder}
 		 */
 		public NimbusReactiveJwtDecoder build() {
-			return new NimbusReactiveJwtDecoder(processor());
+			NimbusReactiveJwtDecoder jwtDecoder = new NimbusReactiveJwtDecoder(processor());
+			jwtDecoder.setJwtValidator(this.jwtValidator);
+			return jwtDecoder;
 		}
 
 		Converter<JWT, Mono<JWTClaimsSet>> processor() {

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/ReactiveJwtDecoders.java

@@ -107,10 +107,9 @@ private static ReactiveJwtDecoder withProviderConfiguration(Map<String, Object>
 		JwtDecoderProviderConfigurationUtils.validateIssuer(configuration, issuer);
 		OAuth2TokenValidator<Jwt> jwtValidator = JwtValidators.createDefaultWithIssuer(issuer);
 		String jwkSetUri = configuration.get("jwks_uri").toString();
-		NimbusReactiveJwtDecoder jwtDecoder = NimbusReactiveJwtDecoder.withJwkSetUri(jwkSetUri)
-				.jwtProcessorCustomizer(ReactiveJwtDecoderProviderConfigurationUtils::addJWSAlgorithms).build();
-		jwtDecoder.setJwtValidator(jwtValidator);
-		return jwtDecoder;
+		return NimbusReactiveJwtDecoder.withJwkSetUri(jwkSetUri)
+				.jwtProcessorCustomizer(ReactiveJwtDecoderProviderConfigurationUtils::addJWSAlgorithms)
+				.jwtValidator(jwtValidator).build();
 	}
 
 }