From 518ae27105291b0c87c970f874083f1d480e99fb Mon Sep 17 00:00:00 2001
From: Joe Grandja <10884212+jgrandja@users.noreply.github.com>
Date: Tue, 12 Aug 2025 14:28:30 -0400
Subject: [PATCH] Fix JwtDecoderFactory ClassNotFoundException with DPoP
 authentication

Closes gh-17249
---
 .../resource/OAuth2ResourceServerConfigurer.java | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
index b470d0f6a3..74e770920e 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
@@ -64,6 +64,7 @@ import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
+import org.springframework.util.ClassUtils;
 import org.springframework.web.accept.ContentNegotiationStrategy;
 import org.springframework.web.accept.HeaderContentNegotiationStrategy;
 
@@ -147,13 +148,19 @@ import org.springframework.web.accept.HeaderContentNegotiationStrategy;
 public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<H>>
 		extends AbstractHttpConfigurer<OAuth2ResourceServerConfigurer<H>, H> {
 
+	private static final boolean dPoPAuthenticationAvailable;
+
+	static {
+		ClassLoader classLoader = OAuth2ResourceServerConfigurer.class.getClassLoader();
+		dPoPAuthenticationAvailable = ClassUtils
+			.isPresent("org.springframework.security.oauth2.jwt.DPoPProofJwtDecoderFactory", classLoader);
+	}
+
 	private static final RequestHeaderRequestMatcher X_REQUESTED_WITH = new RequestHeaderRequestMatcher(
 			"X-Requested-With", "XMLHttpRequest");
 
 	private final ApplicationContext context;
 
-	private final DPoPAuthenticationConfigurer<H> dPoPAuthenticationConfigurer = new DPoPAuthenticationConfigurer<>();
-
 	private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver;
 
 	private BearerTokenResolver bearerTokenResolver;
@@ -285,7 +292,10 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 		filter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 		filter = postProcess(filter);
 		http.addFilter(filter);
-		this.dPoPAuthenticationConfigurer.configure(http);
+		if (dPoPAuthenticationAvailable) {
+			DPoPAuthenticationConfigurer<H> dPoPAuthenticationConfigurer = new DPoPAuthenticationConfigurer<>();
+			dPoPAuthenticationConfigurer.configure(http);
+		}
 	}
 
 	private void validateConfiguration() {