Default timeout should be set when fetching JWKSet for private_key_jwt

[martinr0x]

Expected Behavior

Fetching JWKSets should timeout if the server does not respond in specified amount of time.

Current Behavior

Currently, the jwtDecoder will block until the socket hangs up, which can take few minutes. This is due to the usage of the default RestTemplate in NimbusJwtDecoder which uses the SimpleClientRequestFactory without a timeout by default.

Context

This issue only affects oAuth flows with private_key_jwt client authentication.
To mitigate this issue we implemented a custom JwtClientAssertionFactory that uses a RestTemplate with an explicit timeout.

[jgrandja]

Thanks for reporting this @martinr0x.

I'm not sure I want to expose JwtClientAssertionDecoderFactory.setRestOperations(RestOperations) to allow for configuring a custom RestOperations with timeouts.

However, as you suggested, it seems you would be ok with default timeouts set internal to the implementation of JwtClientAssertionDecoderFactory. Similar to this commit?

[martinr0x]

Hi @jgrandja,
thanks for getting back to me.
Setting a default timeout would be sufficient.
It would be nice to configure the NimbusJwtDecoder but I think there are too many moving parts to do this nicely.

[jgrandja]

@martinr0x Ok, for now, let's go with setting default timeouts internally. Would 30 secs be the right default? Or maybe shorter?
Would you be interested in submitting a PR for this?

[martinr0x]

@jgrandja I can submit a PR.
The timeouts can be shorter imo, like 10 seconds.

[jgrandja]

I agree the timeouts can be shorter but 10 secs might be too short? Let's try 15 secs for the initial enhancement.