Skip to content

feat: add jwtDecoder to McpServerOAuth2Configurer #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add jwtDecoder to McpServerOAuth2Configurer #12

wants to merge 2 commits into from

Conversation

@stdevi
Copy link

@stdevi stdevi commented Oct 3, 2025
edited
Loading

Changes in this PR

Adding jwtDecoder to the McpServerOAuth2Configurer to set NimbusJwtDecoder.

@Kehrlann
Copy link
Collaborator

Kehrlann commented Oct 3, 2025

@stdevi thanks for contributing.

Before going further, what are you trying to accomplish with this exactly exactly?

@stdevi
Copy link
Author

stdevi commented Oct 3, 2025

@stdevi thanks for contributing.

Before going further, what are you trying to accomplish with this exactly exactly?

I have a project where I would like to use custom rest operations for the resource server. However, this implementation does not allow configuring it. I was hoping to expose jwtDecoderCustomizer to achieve that.

@Kehrlann
Copy link
Collaborator

Kehrlann commented Oct 3, 2025

Let’s inject a full JwtDecoder instead of an customizer.

@stdevi stdevi changed the title feat: add jwtDecoderCustomizer to McpServerOAuth2Configurer feat: add jwtDecoder to McpServerOAuth2Configurer Oct 4, 2025
@stdevi
Copy link
Author

stdevi commented Oct 4, 2025

@Kehrlann should I use NimbusJwtDecoder or rather JwtDecoder interface? If we use JwtDecoder, then the validateAudienceClaim won't be enforced.

@Kehrlann
Copy link
Collaborator

Kehrlann commented Oct 7, 2025

ValidateAudienceClaim is a good point.
I'm away this week, let me pick this back up next week.

@Kehrlann
Copy link
Collaborator

Kehrlann commented Oct 24, 2025

Sorry for the delay here. So, I think we should go with JwtDecoder.

I don't want to remove the validateAudienceClaim, and I don't want it to be a "no-op" when you have a raw JwtDecoder.
So let's do the following:

  1. If jwtDecoder is null, keep the code as is.
  2. If jwtDecoder != null && validateAudienceClaim == false, use the raw jwtDecoder
  3. If jwtDecoder != null && validateAudienceClaim == true, wrap the jwtDecoder into a "audience validation jwt decoder", that does something similar to the NimubsJwtDecoder#validateJwt (only handle a single error). This wrapper decoder would be a simple lambda.

What do you think?

It'd be nice to add a test for this configurer, but it does require a bit of infrastructure (because we don't want to pull Boot in here). If you're interested in submitting a subsequent PR with such a test, please let met know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stdevi @Kehrlann