Ambiguity in Spring Security OAuth2 Resource Server documentation

[miikuru002]

Describe the bug
According to the Spring Security Startup Expectations section, the resource server follows a deterministic startup process, where it queries the issuer-uri at startup to discover the JWK Set URI.

The documentation states:

"A consequence of this process is that the authorization server must be up and receiving requests in order for Resource Server to successfully start up.

Note:
If the authorization server is down when Resource Server queries it (given appropriate timeouts), then startup will fail.”

However, as of Spring Boot 2.6+, the default behavior has changed to deferred OIDC discovery, meaning the issuer and keys are only fetched when the first request containing a JWT is received. This change was confirmed in this issue and in this comment

To Reproduce

1. Create a Spring Boot 3.x application with spring-boot-starter-oauth2-resource-server.
2. Configure an invalid issuer-uri:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://idp.example.com/issuer

3. Start the application.
4. Observe that the application does not fail on startup and only throws an error when processing a request with a JWT.

Expected behavior

• The statement that “startup will fail if the authorization server is down” should be revised or clarified, as it no longer applies by default in Spring Boot 2.6+.
• If eager validation is required, the documentation should recommend explicitly defining a JwtDecoder bean (it implicitly mentions in this section, but it is not very clear)

Would appreciate any feedback on this. Thanks!

[Hann244]

Hi @jgrandja @miikuru002, I'm interested in contributing to this issue.

I've reviewed the description and I can update the documentation to reflect the deferred OIDC discovery behavior in Spring Boot 2.6+.

Could you please assign this to me?