Spring Boot Oauth2 Resource Server Mutual TLS Authenticated JWKS URL

Agenda

While going through the previous code at the article here people must have gone through the toughest scenario for loading mutual TLS authenticated JWKS(Json Web Key Store) URL.
It was little tricky at first but not impossible because of the so great framework Spring Boot is.

Technical Notes

1. Your resource server internally has a auto configuration for loading the JWKS from the provided endpoint.
2. That URL provided is provided using the property

spring.security.oauth2.resourceserver.jwt.jwk-set-uri=<BASE>/.well-known/jwks.json

3. Internally that configuration loads a WebClient(Reactive in nature) and loads the JWKS for you

4. And this the main area we can lookout some option for

Solution to override the WebClient & JWTDecoder

1. Construct the SslContext which is based on the client Keystore and Truststore
2. Create the HttpClient based on the SslContext.
3. Create the ReactorClientHttpConnector from the HttpClient.
4. Create the WebClient for the JWKS URL.
5. Use the custom WebClient and create NimbusReactiveJwtDecoder & attach it to the ServerHttpSecurity

Code gist for the Kotlin based configuration is as below

Feel free to contact for any issues.

You can connect with me on LinkedIn here for further help.