Skip to content

Add reasonable timeout to JwtDecoderProviderConfigurationUtils and NimbusJwtDecoder #14269

@vonnahme

Description

@vonnahme

Expected Behavior

These classes should use reasonable default timeouts to avoid the possibility of a connection hanging.

Current Behavior

A default RestTemplate with no timeout configured is used.

https://github.com/spring-projects/spring-security/blob/6.2.0/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/JwtDecoderProviderConfigurationUtils.java#L66

https://github.com/spring-projects/spring-security/blob/6.2.0/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java#L271

Context

We had network issues recently and saw hung threads in these classes due to the connections never being released.

It appears that nimbus sets a default timeout on http connections they make: https://www.javadoc.io/static/com.nimbusds/nimbus-jose-jwt/9.37.3/com/nimbusds/jose/jwk/source/JWKSourceBuilder.html#DEFAULT_HTTP_CONNECT_TIMEOUT

Since both of these classes rely on nimbus, perhaps the nimbus timeout settings could be re-used?

After researching this a bit, it does seem I could configure this at the JVM by setting

-Dsun.net.client.defaultConnectTimeout=
-Dsun.net.client.defaultReadTimeout=

but that's more broad than I would prefer.

Metadata

Metadata

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions