Add discoverJwsAlgorithms() in NimbusJwtDecoder

Closes: gh-17785
Signed-off-by: Andrey Litvitski <[email protected]>

Author: therepanic

oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java

@@ -84,6 +84,7 @@
  * @author Joe Grandja
  * @author Mykyta Bezverkhyi
  * @author Daeho Kwon
+ * @author Andrey Litvitski
  * @since 5.2
  */
 public final class NimbusJwtDecoder implements JwtDecoder {
@@ -418,6 +419,16 @@ public JwkSetUriJwtDecoderBuilder cache(Cache cache) {
 			return this;
 		}
 
+		/**
+		 * Enables discovery of supported JWS algorithms from the remote JWK Set.
+		 * @return a {@link JwkSetUriJwtDecoderBuilder} for further configuration
+		 * @since 7.0.0
+		 */
+		public JwkSetUriJwtDecoderBuilder discoverJwsAlgorithms() {
+			this.defaultAlgorithms = JwtDecoderProviderConfigurationUtils::getJWSAlgorithms;
+			return this;
+		}
+
 		/**
 		 * Use the given {@link Consumer} to customize the {@link JWTProcessor
 		 * ConfigurableJWTProcessor} before passing it to the build

oauth2/oauth2-jose/src/test/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoderTests.java

@@ -95,10 +95,11 @@
  * @author Josh Cummings
  * @author Joe Grandja
  * @author Mykyta Bezverkhyi
+ * @author Andrey Litvitski
  */
 public class NimbusJwtDecoderTests {
 
-	private static final String JWK_SET = "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"one\",\"n\":\"oXJ8OyOv_eRnce4akdanR4KYRfnC2zLV4uYNQpcFn6oHL0dj7D6kxQmsXoYgJV8ZVDn71KGmuLvolxsDncc2UrhyMBY6DVQVgMSVYaPCTgW76iYEKGgzTEw5IBRQL9w3SRJWd3VJTZZQjkXef48Ocz06PGF3lhbz4t5UEZtdF4rIe7u-977QwHuh7yRPBQ3sII-cVoOUMgaXB9SHcGF2iZCtPzL_IffDUcfhLQteGebhW8A6eUHgpD5A1PQ-JCw_G7UOzZAjjDjtNM2eqm8j-Ms_gqnm4MiCZ4E-9pDN77CAAPVN7kuX6ejs9KBXpk01z48i9fORYk9u7rAkh1HuQw\"}]}";
+	private static final String JWK_SET = "{\"keys\":[{\"kty\":\"RSA\",\"e\":\"AQAB\",\"use\":\"sig\",\"kid\":\"one\",\"n\":\"oXJ8OyOv_eRnce4akdanR4KYRfnC2zLV4uYNQpcFn6oHL0dj7D6kxQmsXoYgJV8ZVDn71KGmuLvolxsDncc2UrhyMBY6DVQVgMSVYaPCTgW76iYEKGgzTEw5IBRQL9w3SRJWd3VJTZZQjkXef48Ocz06PGF3lhbz4t5UEZtdF4rIe7u-977QwHuh7yRPBQ3sII-cVoOUMgaXB9SHcGF2iZCtPzL_IffDUcfhLQteGebhW8A6eUHgpD5A1PQ-JCw_G7UOzZAjjDjtNM2eqm8j-Ms_gqnm4MiCZ4E-9pDN77CAAPVN7kuX6ejs9KBXpk01z48i9fORYk9u7rAkh1HuQw\"},{\"kty\":\"EC\",\"key_ops\":[\"sign\",\"verify\"],\"alg\":\"ES256\",\"kid\":\"330e6e41-2c66-47c0-8a82-02a1aa5576ec\",\"crv\":\"P-256\",\"x\":\"pHzT2rtgIGKaQVd69a8H2D--YOkH4ook0v-mUpOjVX4\",\"y\":\"3Fn4_BnsUJU9qCa7pvZyt8hedAOqkWAf5KqW9DR1ZZk\"}]}";
 
 	private static final String MALFORMED_TOKEN = "eyJhbGciOiJSUzI1NiJ9.eyJuYmYiOnt9LCJleHAiOjQ2ODQyMjUwODd9";
 
@@ -122,6 +123,8 @@ public class NimbusJwtDecoderTests {
 
 	private static final String RS256_SIGNED_JWT = "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ0ZXN0LXN1YmplY3QiLCJleHAiOjE5NzQzMjYzMzl9.CT-H2OWEqmSs1NWmnta5ealLFvM8OlbQTjGhfRcKLNxrTrzsOkqBJl-AN3k16BQU7mS32o744TiiZ29NcDlxPsr1MqTlN86-dobPiuNIDLp3A1bOVdXMcVFuMYkrNv0yW0tGS9OjEqsCCuZDkZ1by6AhsHLbGwRY-6AQdcRouZygGpOQu1hNun5j8q5DpSTY4AXKARIFlF-O3OpVbPJ0ebr3Ki-i3U9p_55H0e4-wx2bqcApWlqgofl1I8NKWacbhZgn81iibup2W7E0CzCzh71u1Mcy3xk1sYePx-dwcxJnHmxJReBBWjJZEAeCrkbnn_OCuo2fA-EQyNJtlN5F2w";
 
+	private static final String ES256_SIGNED_JWT = "eyJhbGciOiJFUzI1NiIsImtpZCI6IjMzMGU2ZTQxLTJjNjYtNDdjMC04YTgyLTAyYTFhYTU1NzZlYyJ9.eyJzdWIiOiJ0ZXN0LXN1YmplY3QifQ.5zoc1PBa4HaZZsR0twJQVNeeCs4oAvohnGLGJrF9NqufTl-14B_ylH1ZT1xpiVFPeJnyYFUoC22QOXT-_XKVGg";
+
 	private static final String VERIFY_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq4yKxb6SNePdDmQi9xFCrP6QvHosErQzryknQTTTffs0t3cy3Er3lIceuhZ7yQNSCDfPFqG8GoyoKhuChRiA5D+J2ab7bqTa1QJKfnCyERoscftgN2fXPHjHoiKbpGV2tMVw8mXl//tePOAiKbMJaBUnlAvJgkk1rVm08dSwpLC1sr2M19euf9jwnRGkMRZuhp9iCPgECRke5T8Ixpv0uQjSmGHnWUKTFlbj8sM83suROR1Ue64JSGScANc5vk3huJ/J97qTC+K2oKj6L8d9O8dpc4obijEOJwpydNvTYDgbiivYeSB00KS9jlBkQ5B2QqLvLVEygDl3dp59nGx6YQIDAQAB";
 
 	private static final MediaType APPLICATION_JWK_SET_JSON = new MediaType("application", "jwk-set+json");
@@ -334,6 +337,19 @@ public void decodeWhenIssuerLocationThenOk() {
 		assertThat(jwt.hasClaim(JwtClaimNames.EXP)).isNotNull();
 	}
 
+	@Test
+	public void decodeWhenDiscoverJwsAlgorithmsThenOk() {
+		RestOperations restOperations = mock(RestOperations.class);
+		given(restOperations.exchange(any(RequestEntity.class), eq(String.class)))
+			.willReturn(new ResponseEntity<>(JWK_SET, HttpStatus.OK));
+		JwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(JWK_SET_URI)
+			.discoverJwsAlgorithms()
+			.restOperations(restOperations)
+			.build();
+		Jwt jwt = jwtDecoder.decode(ES256_SIGNED_JWT);
+		assertThat(jwt.hasClaim(JwtClaimNames.EXP)).isNotNull();
+	}
+
 	@Test
 	public void withJwkSetUriWhenNullOrEmptyThenThrowsException() {
 		// @formatter:off