Skip to content

Feature/reactive oauth2 token validator#18506

Open
iain-henderson wants to merge 3 commits intospring-projects:mainfrom
iain-henderson:feature/reactive-oauth2-token-validator
Open

Feature/reactive oauth2 token validator#18506
iain-henderson wants to merge 3 commits intospring-projects:mainfrom
iain-henderson:feature/reactive-oauth2-token-validator

Conversation

@iain-henderson
Copy link
Copy Markdown

@iain-henderson iain-henderson commented Jan 16, 2026

OAuth2TokenValidators are currently synchronous only. If a validator has an asynchronous dependency it cannot be used.

This PR updates NimbusReactiveJwtDecoder to utilize ReactiveOAuth2TokenValidator and adds a ReactiveWrappingOAuth2TokenValidator to facilitate using OAuth2TokenValidators in a reactive context.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 16, 2026
@jgrandja
Copy link
Copy Markdown
Contributor

jgrandja commented Mar 18, 2026

@iain-henderson

You are right, when the OAuth2TokenValidator is called by NimbusReactiveJwtDecoder it will block the reactor event loop if the OAuth2TokenValidator performs a synchronous operation.

I'm actually very surprised that this is coming up just now given that NimbusReactiveJwtDecoder was introduced in 5.1. I guess it hasn't been an issue thus far.

Regardless, it is an issue that could happen. However, instead of introducing a new API, this can be solved quite easily by wrapping the validation in Mono.fromSupplier(supplier).subscribeOn(Schedulers.boundedElastic()). This pattern is already being used here:

spring-security/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/reactive/function/client/ServletOAuth2AuthorizedClientExchangeFilterFunction.java

Line 501 in 14d469c

// NOTE: 'authorizedClientManager.authorize()' needs to be executed on a dedicated

This would be the preference over introducing a new API and associated implementations.

@jgrandja jgrandja added type: bug A general bug in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 18, 2026
@iain-henderson iain-henderson force-pushed the feature/reactive-oauth2-token-validator branch from f91ae7e to 8f73bbd Compare April 8, 2026 00:37
@iain-henderson
Update NimbusReactiveJwtDecoder to use a reactive JwtValidator and pr…
8a20b22 
…ocess non-reactive JwtValidators on the BoundedElastic scheduler

Signed-off-by: Iain Henderson <Iain.henderson@mac.com>
@iain-henderson iain-henderson force-pushed the feature/reactive-oauth2-token-validator branch from 9a23773 to 8a20b22 Compare April 8, 2026 01:05
iain-henderson and others added 2 commits April 7, 2026 21:05
@iain-henderson
Merge branch 'spring-projects:main' into feature/reactive-oauth2-toke…
8f86a6c 
…n-validator
@iain-henderson
Update NimbusReactiveJwtDecoderTests to allow for two setters for Nim…
3658503 
…busReactiveJwtDecoder::setJwtValidator

Signed-off-by: Iain Henderson <Iain.henderson@mac.com>
@iain-henderson
Copy link
Copy Markdown
Author

iain-henderson commented Apr 9, 2026

I think I have cleaned this up.
I was focused on enabling a reactive JwtValidator (our implementation uses a Mono to retrieve the signing key to verify the JWT), but I am glad that we can resolve a potential issue blocking on the wrong scheduler.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: bug A general bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@iain-henderson @jgrandja @spring-projects-issues