From 835d6c1fbd54eab6737e0c60cece104ec7e4b724 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Fri, 27 Mar 2026 13:16:40 -0600
Subject: [PATCH] Add Issuer Validation to withIssuerLocation Snippets

Closes gh-19000

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
---
 .../reactive/oauth2/resource-server/jwt.adoc  | 32 ++++++++++++++-----
 .../servlet/oauth2/resource-server/jwt.adoc   | 32 ++++++++++++++-----
 2 files changed, 48 insertions(+), 16 deletions(-)

diff --git a/docs/modules/ROOT/pages/reactive/oauth2/resource-server/jwt.adoc b/docs/modules/ROOT/pages/reactive/oauth2/resource-server/jwt.adoc
index b0e125c20c..652e568677 100644
--- a/docs/modules/ROOT/pages/reactive/oauth2/resource-server/jwt.adoc
+++ b/docs/modules/ROOT/pages/reactive/oauth2/resource-server/jwt.adoc
@@ -376,7 +376,9 @@ Java::
 ----
 @Bean
 public ReactiveJwtDecoder jwtDecoder() {
-    return NimbusReactiveJwtDecoder.withIssuerLocation(issuer).build();
+    NimbusReactiveJwtDecoder jwtDecoder = NimbusReactiveJwtDecoder.withIssuerLocation(issuer).build();
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuer));
+    return jwtDecoder;
 }
 ----
 
@@ -386,7 +388,9 @@ Kotlin::
 ----
 @Bean
 fun jwtDecoder(): ReactiveJwtDecoder {
-    return NimbusReactiveJwtDecoder.withIssuerLocation(issuer).build()
+    val jwtDecoder = NimbusReactiveJwtDecoder.withIssuerLocation(issuer).build()
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuer))
+    return jwtDecoder
 }
 ----
 ======
@@ -452,8 +456,10 @@ Java::
 ----
 @Bean
 ReactiveJwtDecoder jwtDecoder() {
-    return NimbusReactiveJwtDecoder.withIssuerLocation(this.issuer)
+    NimbusReactiveJwtDecoder jwtDecoder = NimbusReactiveJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithm(RS512).build();
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer));
+    return jwtDecoder;
 }
 ----
 
@@ -463,8 +469,10 @@ Kotlin::
 ----
 @Bean
 fun jwtDecoder(): ReactiveJwtDecoder {
-    return NimbusReactiveJwtDecoder.withIssuerLocation(this.issuer)
+    val jwtDecoder = NimbusReactiveJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithm(RS512).build()
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer))
+    return jwtDecoder
 }
 ----
 ======
@@ -479,8 +487,10 @@ Java::
 ----
 @Bean
 ReactiveJwtDecoder jwtDecoder() {
-    return NimbusReactiveJwtDecoder.withIssuerLocation(this.issuer)
+    NimbusReactiveJwtDecoder jwtDecoder = NimbusReactiveJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithm(RS512).jwsAlgorithm(ES512).build();
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer));
+    return jwtDecoder;
 }
 ----
 
@@ -490,8 +500,10 @@ Kotlin::
 ----
 @Bean
 fun jwtDecoder(): ReactiveJwtDecoder {
-    return NimbusReactiveJwtDecoder.withIssuerLocation(this.issuer)
+    val jwtDecoder = NimbusReactiveJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithm(RS512).jwsAlgorithm(ES512).build()
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer))
+    return jwtDecoder
 }
 ----
 ======
@@ -506,11 +518,13 @@ Java::
 ----
 @Bean
 ReactiveJwtDecoder jwtDecoder() {
-    return NimbusReactiveJwtDecoder.withIssuerLocation(this.jwkSetUri)
+    NimbusReactiveJwtDecoder jwtDecoder = NimbusReactiveJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithms(algorithms -> {
                     algorithms.add(RS512);
                     algorithms.add(ES512);
             }).build();
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer));
+    return jwtDecoder;
 }
 ----
 
@@ -520,12 +534,14 @@ Kotlin::
 ----
 @Bean
 fun jwtDecoder(): ReactiveJwtDecoder {
-    return NimbusReactiveJwtDecoder.withIssuerLocation(this.jwkSetUri)
+    val jwtDecoder = NimbusReactiveJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithms {
                 it.add(RS512)
                 it.add(ES512)
             }
             .build()
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer))
+    return jwtDecoder
 }
 ----
 ======
diff --git a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc
index 7a614104f0..7bbd00d6b2 100644
--- a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc
+++ b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc
@@ -519,7 +519,9 @@ Java::
 ----
 @Bean
 public JwtDecoder jwtDecoder() {
-    return NimbusJwtDecoder.withIssuerLocation(issuer).build();
+    NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer).build();
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuer));
+    return jwtDecoder;
 }
 ----
 
@@ -529,7 +531,9 @@ Kotlin::
 ----
 @Bean
 fun jwtDecoder(): JwtDecoder {
-    return NimbusJwtDecoder.withIssuerLocation(issuer).build()
+    val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(issuer).build()
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(issuer))
+    return jwtDecoder
 }
 ----
 ======
@@ -595,8 +599,10 @@ Java::
 ----
 @Bean
 JwtDecoder jwtDecoder() {
-    return NimbusJwtDecoder.withIssuerLocation(this.issuer)
+    NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithm(RS512).build();
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer));
+    return jwtDecoder;
 }
 ----
 
@@ -606,8 +612,10 @@ Kotlin::
 ----
 @Bean
 fun jwtDecoder(): JwtDecoder {
-    return NimbusJwtDecoder.withIssuerLocation(this.issuer)
+    val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithm(RS512).build()
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer))
+    return jwtDecoder
 }
 ----
 ======
@@ -622,8 +630,10 @@ Java::
 ----
 @Bean
 JwtDecoder jwtDecoder() {
-    return NimbusJwtDecoder.withIssuerLocation(this.issuer)
+    NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithm(RS512).jwsAlgorithm(ES512).build();
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer));
+    return jwtDecoder;
 }
 ----
 
@@ -633,8 +643,10 @@ Kotlin::
 ----
 @Bean
 fun jwtDecoder(): JwtDecoder {
-    return NimbusJwtDecoder.withIssuerLocation(this.issuer)
+    val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithm(RS512).jwsAlgorithm(ES512).build()
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer))
+    return jwtDecoder
 }
 ----
 ======
@@ -649,11 +661,13 @@ Java::
 ----
 @Bean
 JwtDecoder jwtDecoder() {
-    return NimbusJwtDecoder.withIssuerLocation(this.issuer)
+    NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithms(algorithms -> {
                     algorithms.add(RS512);
                     algorithms.add(ES512);
             }).build();
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer));
+    return jwtDecoder;
 }
 ----
 
@@ -663,11 +677,13 @@ Kotlin::
 ----
 @Bean
 fun jwtDecoder(): JwtDecoder {
-    return NimbusJwtDecoder.withIssuerLocation(this.issuer)
+    val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(this.issuer)
             .jwsAlgorithms {
                 it.add(RS512)
                 it.add(ES512)
             }.build()
+    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(this.issuer))
+    return jwtDecoder
 }
 ----
 ======