diff --git a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc index 12874db5b73..6aa082364e0 100644 --- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc +++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc @@ -500,6 +500,7 @@ content into your application; rather pick only the properties that you need. security.oauth2.resource.id= # Identifier of the resource. security.oauth2.resource.jwt.key-uri= # The URI of the JWT token. Can be set if the value is not available and the key is public. security.oauth2.resource.jwt.key-value= # The verification key of the JWT token. Can either be a symmetric secret or PEM-encoded RSA public key. + security.oauth2.resource.jwk.key-set-uri= # The URI for getting the set of keys that can be used to validate the token. security.oauth2.resource.prefer-token-info=true # Use the token info, can be set to false to use the user info. security.oauth2.resource.service-id=resource # security.oauth2.resource.token-info-uri= # URI of the token decoding endpoint. diff --git a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc index 81c5447d735..3b9acde1398 100644 --- a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc +++ b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc @@ -2794,7 +2794,7 @@ to decode tokens, so there is nothing else to do. If your app is a standalone se need to give it some more configuration, one of the following options: * `security.oauth2.resource.user-info-uri` to use the `/me` resource (e.g. -`\https://uaa.run.pivotal.io/userinfo` on PWS) +`\https://uaa.run.pivotal.io/userinfo` on Pivotal Web Services (PWS)) * `security.oauth2.resource.token-info-uri` to use the token decoding endpoint (e.g. `\https://uaa.run.pivotal.io/check_token` on PWS). @@ -2815,8 +2815,20 @@ URI where it can be downloaded (as a JSON object with a "`value`" field) with {"alg":"SHA256withRSA","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"} ---- -WARNING: If you use the `security.oauth2.resource.jwt.key-uri` the authorization server -needs to be running when your application starts up. It will log a warning if it can't +Additionally, if your authorization server has an endpoint that returns a set of JSON Web Keys(JWKs), +you can configure `security.oauth2.resource.jwk.key-set-uri`. E.g. on PWS: + +[indent=0] +---- + $ curl https://uaa.run.pivotal.io/token_keys + {"keys":[{"kid":"key-1","alg":"RS256","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"]} +---- + +NOTE: Configuring both JWT and JWK properties will cause an error. Only one of `security.oauth2.resource.jwt.key-uri` +(or `security.oauth2.resource.jwt.key-value`) and `security.oauth2.resource.jwk.key-set-uri` should be configured. + +WARNING: If you use the `security.oauth2.resource.jwt.key-uri` or `security.oauth2.resource.jwk.key-set-uri, +` the authorization server needs to be running when your application starts up. It will log a warning if it can't find the key, and tell you what to do to fix it. OAuth2 resources are protected by a filter chain with order