Add id-token-jwk-set-url ClientSettings and claim mapping

- Add ID_TOKEN_JWK_SET_URL to ConfigurationSettingNames and typed getter/builder to ClientSettings
- Store subject token claims as authorization attribute so OAuth2TokenCustomizer can map ID token claims to the generated access token
- Update OidcIdTokenSubjectTokenResolver JavaDoc with ClientSettings configuration example

Closes gh-19048

Signed-off-by: Bapuji Koraganti <bapuk.2008@gmail.com>

Author: bkoragan

oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationProvider.java

@@ -80,6 +80,16 @@ public final class OAuth2TokenExchangeAuthenticationProvider implements Authenti
 
 	private static final String MAY_ACT = "may_act";
 
+	/**
+	 * The attribute name for the subject token claims stored in the
+	 * {@link OAuth2Authorization}. These claims are available to
+	 * {@link org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer}
+	 * implementations for mapping external ID token claims to the generated access token.
+	 * @since 7.0
+	 */
+	public static final String SUBJECT_TOKEN_CLAIMS_ATTRIBUTE = OAuth2TokenExchangeSubjectTokenContext.class.getName()
+			+ ".CLAIMS";
+
 	private final Log logger = LogFactory.getLog(getClass());
 
 	private final OAuth2AuthorizationService authorizationService;
@@ -155,6 +165,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 					.principalName(subjectTokenContext.getPrincipalName())
 					.authorizationGrantType(AuthorizationGrantType.TOKEN_EXCHANGE)
 					.attribute(Principal.class.getName(), subjectTokenContext.getPrincipal())
+					.attribute(SUBJECT_TOKEN_CLAIMS_ATTRIBUTE, subjectTokenContext.getClaims())
 					.build();
 			// @formatter:on
 

oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OidcIdTokenSubjectTokenResolver.java

@@ -44,11 +44,27 @@
  * token using a {@link JwtDecoder} obtained from the provided factory, then constructs an
  * {@link OAuth2TokenExchangeSubjectTokenContext} from the token's claims.
  *
+ * <p>
+ * The ID token's JWKS endpoint can be configured per client using
+ * {@link org.springframework.security.oauth2.server.authorization.settings.ClientSettings#getIdTokenJwkSetUrl()}.
+ * Example configuration:
+ *
+ * <pre>
+ * &#064;Bean
+ * OidcIdTokenSubjectTokenResolver subjectTokenResolver() {
+ *     return new OidcIdTokenSubjectTokenResolver((registeredClient) -&gt; {
+ *         String jwkSetUrl = registeredClient.getClientSettings().getIdTokenJwkSetUrl();
+ *         return NimbusJwtDecoder.withJwkSetUri(jwkSetUrl).build();
+ *     });
+ * }
+ * </pre>
+ *
  * @author Bapuji Koraganti
  * @since 7.0
  * @see OAuth2TokenExchangeSubjectTokenResolver
  * @see OAuth2TokenExchangeSubjectTokenContext
  * @see JwtDecoderFactory
+ * @see org.springframework.security.oauth2.server.authorization.settings.ClientSettings#getIdTokenJwkSetUrl()
  */
 public final class OidcIdTokenSubjectTokenResolver implements OAuth2TokenExchangeSubjectTokenResolver {
 

oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/settings/ClientSettings.java

@@ -99,6 +99,17 @@ public boolean isRequireAuthorizationConsent() {
 		return getSetting(ConfigurationSettingNames.Client.X509_CERTIFICATE_SUBJECT_DN);
 	}
 
+	/**
+	 * Returns the {@code URL} for the external Identity Provider's JSON Web Key Set used
+	 * to validate ID tokens during token exchange.
+	 * @return the {@code URL} for the external IdP's JSON Web Key Set, or {@code null} if
+	 * not set
+	 * @since 7.0
+	 */
+	public @Nullable String getIdTokenJwkSetUrl() {
+		return getSetting(ConfigurationSettingNames.Client.ID_TOKEN_JWK_SET_URL);
+	}
+
 	/**
 	 * Constructs a new {@link Builder} with the default settings.
 	 * @return the {@link Builder}
@@ -185,6 +196,17 @@ public Builder x509CertificateSubjectDN(String x509CertificateSubjectDN) {
 			return setting(ConfigurationSettingNames.Client.X509_CERTIFICATE_SUBJECT_DN, x509CertificateSubjectDN);
 		}
 
+		/**
+		 * Sets the {@code URL} for the external Identity Provider's JSON Web Key Set used
+		 * to validate ID tokens during token exchange.
+		 * @param idTokenJwkSetUrl the {@code URL} for the external IdP's JSON Web Key Set
+		 * @return the {@link Builder} for further configuration
+		 * @since 7.0
+		 */
+		public Builder idTokenJwkSetUrl(String idTokenJwkSetUrl) {
+			return setting(ConfigurationSettingNames.Client.ID_TOKEN_JWK_SET_URL, idTokenJwkSetUrl);
+		}
+
 		/**
 		 * Builds the {@link ClientSettings}.
 		 * @return the {@link ClientSettings}

oauth2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/settings/ConfigurationSettingNames.java

@@ -78,6 +78,13 @@ public static final class Client {
 		public static final String X509_CERTIFICATE_SUBJECT_DN = CLIENT_SETTINGS_NAMESPACE
 			.concat("x509-certificate-subject-dn");
 
+		/**
+		 * Set the {@code URL} for the external Identity Provider's JSON Web Key Set used
+		 * to validate ID tokens during token exchange.
+		 * @since 7.0
+		 */
+		public static final String ID_TOKEN_JWK_SET_URL = CLIENT_SETTINGS_NAMESPACE.concat("id-token-jwk-set-url");
+
 		private Client() {
 		}
 

oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenExchangeAuthenticationProviderTests.java

@@ -698,6 +698,15 @@ public void authenticateWhenSubjectTokenResolverReturnsContextThenReturnAccessTo
 		assertThat(authorization.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.TOKEN_EXCHANGE);
 		assertThat(authorization.<Authentication>getAttribute(Principal.class.getName())).isSameAs(userPrincipal);
 		assertThat(authorization.getAccessToken().getToken()).isEqualTo(accessToken);
+
+		// Verify subject token claims are available via the token context authorization
+		OAuth2Authorization subjectAuth = tokenContext.getAuthorization();
+		assertThat(subjectAuth).isNotNull();
+		Map<String, Object> subjectTokenClaims = subjectAuth
+			.getAttribute(OAuth2TokenExchangeAuthenticationProvider.SUBJECT_TOKEN_CLAIMS_ATTRIBUTE);
+		assertThat(subjectTokenClaims).isNotNull();
+		assertThat(subjectTokenClaims).containsEntry("iss", "https://gitlab.com");
+		assertThat(subjectTokenClaims).containsEntry("sub", "user@example.com");
 	}
 
 	@Test

oauth2/oauth2-authorization-server/src/test/java/org/springframework/security/oauth2/server/authorization/settings/ClientSettingsTests.java

@@ -72,6 +72,20 @@ public void x509CertificateSubjectDNWhenProvidedThenSet() {
 			.isEqualTo("CN=demo-client-sample, OU=Spring Samples, O=Spring, C=US");
 	}
 
+	@Test
+	public void idTokenJwkSetUrlWhenProvidedThenSet() {
+		ClientSettings clientSettings = ClientSettings.builder()
+			.idTokenJwkSetUrl("https://gitlab.com/oauth/discovery/keys")
+			.build();
+		assertThat(clientSettings.getIdTokenJwkSetUrl()).isEqualTo("https://gitlab.com/oauth/discovery/keys");
+	}
+
+	@Test
+	public void idTokenJwkSetUrlWhenNotSetThenNull() {
+		ClientSettings clientSettings = ClientSettings.builder().build();
+		assertThat(clientSettings.getIdTokenJwkSetUrl()).isNull();
+	}
+
 	@Test
 	public void settingWhenCustomThenSet() {
 		ClientSettings clientSettings = ClientSettings.builder()