From b23427136127bf2d4a4aadee83a2d3aee7ee9b16 Mon Sep 17 00:00:00 2001
From: Avgustin Marinov <Avgustin.Marinov@bosch.com>
Date: Tue, 14 May 2024 16:59:05 +0300
Subject: [PATCH] Support for OAuth2 resource server with issuer URI (#1731)

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
---
 .../security/SecurityManagedConfiguration.java           | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java
index f18e55fb7..14d6e2be7 100644
--- a/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java
+++ b/hawkbit-autoconfigure/src/main/java/org/eclipse/hawkbit/autoconfigure/security/SecurityManagedConfiguration.java
@@ -74,6 +74,7 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
+import org.springframework.security.oauth2.jwt.JwtDecoders;
 import org.springframework.security.oauth2.server.resource.web.BearerTokenAuthenticationFilter;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
@@ -528,7 +529,13 @@ public class SecurityManagedConfiguration {
                                 : null;
 
                 Assert.notNull(clientRegistration, "There must be a valid client registration");
-                http.oauth2ResourceServer(configurer -> configurer.jwt().jwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri()));
+                http.oauth2ResourceServer(configurer -> configurer.jwt(configurer2 -> {
+                    if (clientRegistration.getProviderDetails().getJwkSetUri() == null) {
+                        configurer2.decoder(JwtDecoders.fromIssuerLocation(clientRegistration.getProviderDetails().getIssuerUri()));
+                    } else {
+                        configurer2.jwkSetUri(clientRegistration.getProviderDetails().getJwkSetUri());
+                    }
+                }));
 
                 oidcBearerTokenAuthenticationFilter.setClientRegistration(clientRegistration);