OAuth2AuthorizationServerJwtAutoConfiguration uses @ConditionalOnClass incorrectly

[wilkinsona]

spring-boot/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerJwtAutoConfiguration.java

Lines 56 to 61 in 4cfc3b0

	@Bean
	@ConditionalOnClass(JwtDecoder.class)
	@ConditionalOnMissingBean
	JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
	return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
	}

This may break if JwtDecoder is not on the classpath as OAuth2AuthorizationServerJwtAutoConfiguration will still be loaded but it will declare a method whose signature refers to a class that does not exist.

spring-boot/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerJwtAutoConfiguration.java

Lines 63 to 70 in 4cfc3b0

	@Bean
	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
	@ConditionalOnMissingBean
	JWKSource<SecurityContext> jwkSource() {
	RSAKey rsaKey = getRsaKey();
	JWKSet jwkSet = new JWKSet(rsaKey);
	return new ImmutableJWKSet<>(jwkSet);
	}

There's no check here for com.nimbusds.jose.jwk.source.JWKSource or com.nimbusds.jose.proc.SecurityContext being on the classpath and the class only checks for org.springframework.security.oauth2.server.authorization.OAuth2Authorization.

It could be that the presence of OAuth2Authorization implies that the other classes must be present, or it may be that we need to introduce some inner-classes.

[wilkinsona]

The existing tests seem to imply that the conditions for the JwtDecoder bean should be separate to those of the auto-configuration as a whole so an inner-class is needed for the jwtDecoder bean definition.