Introduce RSA keys configuration properties for OAuth2 Authorization Server

quaff · quaff · commit 8e1a9ff0e3e0 · 2025-08-08T10:41:23.000+08:00
Signed-off-by: Yanming Zhou &lt;zhouyanming@gmail.com&gt;
diff --git a/module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerJwtAutoConfiguration.java b/module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerJwtAutoConfiguration.java
@@ -35,6 +35,7 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication.Type;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.boot.security.autoconfigure.servlet.UserDetailsServiceAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -48,29 +49,37 @@
  * OAuth2 authorization server that require it (e.g. User Info, Client Registration).
  *
  * @author Steve Riesenberg
+ * @author Yanming Zhou
  * @since 4.0.0
  */
 @AutoConfiguration(after = UserDetailsServiceAutoConfiguration.class)
 @ConditionalOnClass({ OAuth2Authorization.class, JWKSource.class })
 @ConditionalOnWebApplication(type = Type.SERVLET)
+@EnableConfigurationProperties(OAuth2AuthorizationServerProperties.class)
 public final class OAuth2AuthorizationServerJwtAutoConfiguration {
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	@ConditionalOnMissingBean
-	JWKSource<SecurityContext> jwkSource() {
-		RSAKey rsaKey = getRsaKey();
+	JWKSource<SecurityContext> jwkSource(OAuth2AuthorizationServerProperties properties) {
+		RSAKey rsaKey = getRsaKey(properties.getRsa());
 		JWKSet jwkSet = new JWKSet(rsaKey);
 		return new ImmutableJWKSet<>(jwkSet);
 	}
 
-	private static RSAKey getRsaKey() {
-		KeyPair keyPair = generateRsaKey();
-		RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
-		RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
-		RSAKey rsaKey = new RSAKey.Builder(publicKey).privateKey(privateKey)
-			.keyID(UUID.randomUUID().toString())
-			.build();
+	private static RSAKey getRsaKey(OAuth2AuthorizationServerProperties.Rsa rsa) {
+		RSAKey rsaKey;
+		if (rsa.getPublicKey() != null && rsa.getPrivateKey() != null) {
+			rsaKey = new RSAKey.Builder(rsa.getPublicKey()).privateKey(rsa.getPrivateKey())
+				.keyID(rsa.getKeyId() != null ? rsa.getKeyId() : UUID.randomUUID().toString())
+				.build();
+		}
+		else {
+			KeyPair keyPair = generateRsaKey();
+			RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
+			RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
+			rsaKey = new RSAKey.Builder(publicKey).privateKey(privateKey).keyID(UUID.randomUUID().toString()).build();
+		}
 		return rsaKey;
 	}
 
diff --git a/module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerProperties.java b/module/spring-boot-security-oauth2-authorization-server/src/main/java/org/springframework/boot/security/oauth2/server/authorization/autoconfigure/servlet/OAuth2AuthorizationServerProperties.java
@@ -16,6 +16,8 @@
 
 package org.springframework.boot.security.oauth2.server.authorization.autoconfigure.servlet;
 
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
 import java.time.Duration;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -35,6 +37,7 @@
  *
  * @author Steve Riesenberg
  * @author Florian Lemaire
+ * @author Yanming Zhou
  * @since 4.0.0
  */
 @ConfigurationProperties("spring.security.oauth2.authorizationserver")
@@ -62,6 +65,11 @@ public class OAuth2AuthorizationServerProperties implements InitializingBean {
 	 */
 	private final Endpoint endpoint = new Endpoint();
 
+	/**
+	 * Authorization Server endpoints.
+	 */
+	private final Rsa rsa = new Rsa();
+
 	public boolean isMultipleIssuersAllowed() {
 		return this.multipleIssuersAllowed;
 	}
@@ -86,6 +94,10 @@ public Endpoint getEndpoint() {
 		return this.endpoint;
 	}
 
+	public Rsa getRsa() {
+		return this.rsa;
+	}
+
 	@Override
 	public void afterPropertiesSet() {
 		validate();
@@ -567,4 +579,50 @@ public void setIdTokenSignatureAlgorithm(String idTokenSignatureAlgorithm) {
 
 	}
 
+	/**
+	 * RSA keys for JWK.
+	 */
+	public static class Rsa {
+
+		/**
+		 * RSA key ID.
+		 */
+		private @Nullable String keyId;
+
+		/**
+		 * RSA public key.
+		 */
+		private @Nullable RSAPublicKey publicKey;
+
+		/**
+		 * RSA private key.
+		 */
+		private @Nullable RSAPrivateKey privateKey;
+
+		public @Nullable String getKeyId() {
+			return this.keyId;
+		}
+
+		public void setKeyId(String keyId) {
+			this.keyId = keyId;
+		}
+
+		public @Nullable RSAPublicKey getPublicKey() {
+			return this.publicKey;
+		}
+
+		public void setPublicKey(RSAPublicKey publicKey) {
+			this.publicKey = publicKey;
+		}
+
+		public @Nullable RSAPrivateKey getPrivateKey() {
+			return this.privateKey;
+		}
+
+		public void setPrivateKey(RSAPrivateKey privateKey) {
+			this.privateKey = privateKey;
+		}
+
+	}
+
 }
