Add id-token-jwk-set-url ClientSettings and claim mapping

- Add ID_TOKEN_JWK_SET_URL to ConfigurationSettingNames
  and typed getter/builder to ClientSettings
- Add default no-arg constructor to resolver that reads
  idTokenJwkSetUrl from ClientSettings automatically
- Store subject token claims as authorization attribute
  so OAuth2TokenCustomizer can map ID token claims to
  the generated access token

Closes gh-19048
Signed-off-by: Bapuji Koraganti <bapuk.2008@gmail.com>

Author: bkoragan

oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationProvider.java

@@ -80,6 +80,16 @@ public final class OAuth2TokenExchangeAuthenticationProvider implements Authenti
 
 	private static final String MAY_ACT = "may_act";
 
+	/**
+	 * The attribute name for the subject token claims stored in the
+	 * {@link OAuth2Authorization}. These claims are available to
+	 * {@link org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer}
+	 * implementations for mapping external ID token claims to the generated access token.
+	 * @since 7.0
+	 */
+	public static final String SUBJECT_TOKEN_CLAIMS_ATTRIBUTE = OAuth2TokenExchangeSubjectTokenContext.class.getName()
+			+ ".CLAIMS";
+
 	private final Log logger = LogFactory.getLog(getClass());
 
 	private final OAuth2AuthorizationService authorizationService;
@@ -155,6 +165,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 					.principalName(subjectTokenContext.getPrincipalName())
 					.authorizationGrantType(AuthorizationGrantType.TOKEN_EXCHANGE)
 					.attribute(Principal.class.getName(), subjectTokenContext.getPrincipal())
+					.attribute(SUBJECT_TOKEN_CLAIMS_ATTRIBUTE, subjectTokenContext.getClaims())
 					.build();
 			// @formatter:on
 

oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OidcIdTokenSubjectTokenResolver.java

@@ -18,6 +18,8 @@
 
 import java.util.Collections;
 import java.util.List;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -26,13 +28,17 @@
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
+import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
 import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
 import org.springframework.security.oauth2.jwt.JwtException;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
+import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * An {@link OAuth2TokenExchangeSubjectTokenResolver} implementation that resolves
@@ -44,11 +50,30 @@
  * token using a {@link JwtDecoder} obtained from the provided factory, then constructs an
  * {@link OAuth2TokenExchangeSubjectTokenContext} from the token's claims.
  *
+ * <p>
+ * When constructed with no arguments, the resolver uses the
+ * {@link ClientSettings#getIdTokenJwkSetUrl()} setting to resolve the external IdP's JWKS
+ * endpoint per client. Example client registration:
+ *
+ * <pre>
+ * RegisteredClient.withId(UUID.randomUUID().toString())
+ *     .clientId("cicd-client")
+ *     .clientSettings(ClientSettings.builder()
+ *         .idTokenJwkSetUrl("https://gitlab.com/oauth/discovery/keys")
+ *         .build())
+ *     .build();
+ * </pre>
+ *
+ * <p>
+ * For advanced use cases (e.g., multi-issuer routing, custom validation), a custom
+ * {@link JwtDecoderFactory} can be provided via the constructor.
+ *
  * @author Bapuji Koraganti
  * @since 7.0
  * @see OAuth2TokenExchangeSubjectTokenResolver
  * @see OAuth2TokenExchangeSubjectTokenContext
  * @see JwtDecoderFactory
+ * @see ClientSettings#getIdTokenJwkSetUrl()
  */
 public final class OidcIdTokenSubjectTokenResolver implements OAuth2TokenExchangeSubjectTokenResolver {
 
@@ -58,9 +83,19 @@ public final class OidcIdTokenSubjectTokenResolver implements OAuth2TokenExchang
 
 	private final JwtDecoderFactory<RegisteredClient> jwtDecoderFactory;
 
+	/**
+	 * Constructs an {@code OidcIdTokenSubjectTokenResolver} that uses the
+	 * {@link ClientSettings#getIdTokenJwkSetUrl()} setting to resolve the external IdP's
+	 * JWKS endpoint for each client. Decoders are cached per client.
+	 * @since 7.0
+	 */
+	public OidcIdTokenSubjectTokenResolver() {
+		this(new DefaultIdTokenJwtDecoderFactory());
+	}
+
 	/**
 	 * Constructs an {@code OidcIdTokenSubjectTokenResolver} using the provided
-	 * parameters.
+	 * {@link JwtDecoderFactory}.
 	 * @param jwtDecoderFactory the factory for creating {@link JwtDecoder} instances
 	 * keyed by {@link RegisteredClient}
 	 */
@@ -98,6 +133,31 @@ public OidcIdTokenSubjectTokenResolver(JwtDecoderFactory<RegisteredClient> jwtDe
 		return new OAuth2TokenExchangeSubjectTokenContext(principal, subject, jwt.getClaims(), Collections.emptySet());
 	}
 
+	/**
+	 * Default {@link JwtDecoderFactory} that reads the JWKS endpoint from
+	 * {@link ClientSettings#getIdTokenJwkSetUrl()} and caches decoders per client.
+	 */
+	private static final class DefaultIdTokenJwtDecoderFactory implements JwtDecoderFactory<RegisteredClient> {
+
+		private final Map<String, JwtDecoder> jwtDecoders = new ConcurrentHashMap<>();
+
+		@Override
+		public JwtDecoder createDecoder(RegisteredClient registeredClient) {
+			return this.jwtDecoders.computeIfAbsent(registeredClient.getId(), (key) -> {
+				String idTokenJwkSetUrl = registeredClient.getClientSettings().getIdTokenJwkSetUrl();
+				if (!StringUtils.hasText(idTokenJwkSetUrl)) {
+					OAuth2Error oauth2Error = new OAuth2Error(OAuth2ErrorCodes.INVALID_CLIENT,
+							"Failed to find an ID Token Verifier for Client: '" + registeredClient.getId()
+									+ "'. Check to ensure you have configured the ID Token JWK Set URL.",
+							null);
+					throw new OAuth2AuthenticationException(oauth2Error);
+				}
+				return NimbusJwtDecoder.withJwkSetUri(idTokenJwkSetUrl).build();
+			});
+		}
+
+	}
+
 	/**
 	 * An {@link Authentication} representing a principal resolved from an
 	 * externally-issued ID token.

oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/settings/ClientSettings.java

@@ -99,6 +99,17 @@ public boolean isRequireAuthorizationConsent() {
 		return getSetting(ConfigurationSettingNames.Client.X509_CERTIFICATE_SUBJECT_DN);
 	}
 
+	/**
+	 * Returns the {@code URL} for the external Identity Provider's JSON Web Key Set used
+	 * to validate ID tokens during token exchange.
+	 * @return the {@code URL} for the external IdP's JSON Web Key Set, or {@code null} if
+	 * not set
+	 * @since 7.0
+	 */
+	public @Nullable String getIdTokenJwkSetUrl() {
+		return getSetting(ConfigurationSettingNames.Client.ID_TOKEN_JWK_SET_URL);
+	}
+
 	/**
 	 * Constructs a new {@link Builder} with the default settings.
 	 * @return the {@link Builder}
@@ -185,6 +196,17 @@ public Builder x509CertificateSubjectDN(String x509CertificateSubjectDN) {
 			return setting(ConfigurationSettingNames.Client.X509_CERTIFICATE_SUBJECT_DN, x509CertificateSubjectDN);
 		}
 
+		/**
+		 * Sets the {@code URL} for the external Identity Provider's JSON Web Key Set used
+		 * to validate ID tokens during token exchange.
+		 * @param idTokenJwkSetUrl the {@code URL} for the external IdP's JSON Web Key Set
+		 * @return the {@link Builder} for further configuration
+		 * @since 7.0
+		 */
+		public Builder idTokenJwkSetUrl(String idTokenJwkSetUrl) {
+			return setting(ConfigurationSettingNames.Client.ID_TOKEN_JWK_SET_URL, idTokenJwkSetUrl);
+		}
+
 		/**
 		 * Builds the {@link ClientSettings}.
 		 * @return the {@link ClientSettings}

oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/settings/ConfigurationSettingNames.java

@@ -78,6 +78,13 @@ public static final class Client {
 		public static final String X509_CERTIFICATE_SUBJECT_DN = CLIENT_SETTINGS_NAMESPACE
 			.concat("x509-certificate-subject-dn");
 
+		/**
+		 * Set the {@code URL} for the external Identity Provider's JSON Web Key Set used
+		 * to validate ID tokens during token exchange.
+		 * @since 7.0
+		 */
+		public static final String ID_TOKEN_JWK_SET_URL = CLIENT_SETTINGS_NAMESPACE.concat("id-token-jwk-set-url");
+
 		private Client() {
 		}
 

oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationProviderTests.java

@@ -698,6 +698,15 @@ public void authenticateWhenSubjectTokenResolverReturnsContextThenReturnAccessTo
 		assertThat(authorization.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.TOKEN_EXCHANGE);
 		assertThat(authorization.<Authentication>getAttribute(Principal.class.getName())).isSameAs(userPrincipal);
 		assertThat(authorization.getAccessToken().getToken()).isEqualTo(accessToken);
+
+		// Verify subject token claims are available via the token context authorization
+		OAuth2Authorization subjectAuth = tokenContext.getAuthorization();
+		assertThat(subjectAuth).isNotNull();
+		Map<String, Object> subjectTokenClaims = subjectAuth
+			.getAttribute(OAuth2TokenExchangeAuthenticationProvider.SUBJECT_TOKEN_CLAIMS_ATTRIBUTE);
+		assertThat(subjectTokenClaims).isNotNull();
+		assertThat(subjectTokenClaims).containsEntry("iss", "https://gitlab.com");
+		assertThat(subjectTokenClaims).containsEntry("sub", "user@example.com");
 	}
 
 	@Test

oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OidcIdTokenSubjectTokenResolverTests.java

@@ -21,6 +21,7 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
+import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
@@ -113,6 +114,21 @@ public void resolveWhenSubjectClaimMissingThenThrowOAuth2AuthenticationException
 		// @formatter:on
 	}
 
+	@Test
+	public void resolveWhenDefaultConstructorAndNoIdTokenJwkSetUrlThenThrowOAuth2AuthenticationException() {
+		RegisteredClient registeredClient = TestRegisteredClients.registeredClient()
+			.authorizationGrantType(AuthorizationGrantType.TOKEN_EXCHANGE)
+			.build();
+		OidcIdTokenSubjectTokenResolver defaultResolver = new OidcIdTokenSubjectTokenResolver();
+		// @formatter:off
+		assertThatExceptionOfType(OAuth2AuthenticationException.class)
+				.isThrownBy(() -> defaultResolver.resolve(ID_TOKEN_VALUE, ID_TOKEN_TYPE_VALUE, registeredClient))
+				.extracting(OAuth2AuthenticationException::getError)
+				.extracting(OAuth2Error::getErrorCode)
+				.isEqualTo(OAuth2ErrorCodes.INVALID_CLIENT);
+		// @formatter:on
+	}
+
 	@Test
 	public void resolveWhenValidIdTokenThenReturnContext() {
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();

oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/settings/ClientSettingsTests.java

@@ -72,6 +72,20 @@ public void x509CertificateSubjectDNWhenProvidedThenSet() {
 			.isEqualTo("CN=demo-client-sample, OU=Spring Samples, O=Spring, C=US");
 	}
 
+	@Test
+	public void idTokenJwkSetUrlWhenProvidedThenSet() {
+		ClientSettings clientSettings = ClientSettings.builder()
+			.idTokenJwkSetUrl("https://gitlab.com/oauth/discovery/keys")
+			.build();
+		assertThat(clientSettings.getIdTokenJwkSetUrl()).isEqualTo("https://gitlab.com/oauth/discovery/keys");
+	}
+
+	@Test
+	public void idTokenJwkSetUrlWhenNotSetThenNull() {
+		ClientSettings clientSettings = ClientSettings.builder().build();
+		assertThat(clientSettings.getIdTokenJwkSetUrl()).isNull();
+	}
+
 	@Test
 	public void settingWhenCustomThenSet() {
 		ClientSettings clientSettings = ClientSettings.builder()