Merge branch '1.5.x'

b02edd2e · Madhura Bhave · 441dd2bc · 64ffcfc8 · b02edd2e · b02edd2e
Commit b02edd2e authored Aug 29, 2017 by Madhura Bhave
Showing with 16 additions and 3 deletions

appendix-application-properties.adoc ...cs/src/main/asciidoc/appendix-application-properties.adoc +1 -0

spring-boot-features.adoc spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc +15 -3

No files found.
--- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
+++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
@@ -500,6 +500,7 @@ content into your application; rather pick only the properties that you need.
 	security.oauth2.resource.id= # Identifier of the resource.
 	security.oauth2.resource.jwt.key-uri= # The URI of the JWT token. Can be set if the value is not available and the key is public.
 	security.oauth2.resource.jwt.key-value= # The verification key of the JWT token. Can either be a symmetric secret or PEM-encoded RSA public key.
+	security.oauth2.resource.jwk.key-set-uri= # The URI for getting the set of keys that can be used to validate the token.
 	security.oauth2.resource.prefer-token-info=true # Use the token info, can be set to false to use the user info.
 	security.oauth2.resource.service-id=resource #
 	security.oauth2.resource.token-info-uri= # URI of the token decoding endpoint.

--- a/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
+++ b/spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc
@@ -2794,7 +2794,7 @@ to decode tokens, so there is nothing else to do. If your app is a standalone se
 need to give it some more configuration, one of the following options:

 * `security.oauth2.resource.user-info-uri` to use the `/me` resource (e.g.
-`\https://uaa.run.pivotal.io/userinfo` on PWS)
+`\https://uaa.run.pivotal.io/userinfo` on Pivotal Web Services (PWS))

 * `security.oauth2.resource.token-info-uri` to use the token decoding endpoint (e.g.
 `\https://uaa.run.pivotal.io/check_token` on PWS).
@@ -2815,8 +2815,20 @@ URI where it can be downloaded (as a JSON object with a "`value`" field) with
 	{"alg":"SHA256withRSA","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"}
 ----

-WARNING: If you use the `security.oauth2.resource.jwt.key-uri` the authorization server
-needs to be running when your application starts up. It will log a warning if it can't
+Additionally, if your authorization server has an endpoint that returns a set of JSON Web Keys(JWKs),
+you can configure `security.oauth2.resource.jwk.key-set-uri`. E.g. on PWS:
+
+[indent=0]
+----
+	$ curl https://uaa.run.pivotal.io/token_keys
+	{"keys":[{"kid":"key-1","alg":"RS256","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"]}
+----
+
+NOTE: Configuring both JWT and JWK properties will cause an error. Only one of `security.oauth2.resource.jwt.key-uri`
+(or `security.oauth2.resource.jwt.key-value`) and `security.oauth2.resource.jwk.key-set-uri` should be configured.
+
+WARNING: If you use the `security.oauth2.resource.jwt.key-uri` or `security.oauth2.resource.jwk.key-set-uri,
+` the authorization server needs to be running when your application starts up. It will log a warning if it can't
 find the key, and tell you what to do to fix it.

 OAuth2 resources are protected by a filter chain with order