jwk-set-uri not honored as configured

[jdwilkin]

I have tried setting the jwk-set-uri both as okta.oauth2.resourceserver.jwt.jwk-set-uri and spring.security.oauth2.resourceserver.jwt.jwk-set-uri (which as I understand the former is supposed to be an alias of the latter) and in both cases the value I set is being overwritten to /oauth2/v1/keys which I guess is the default value.

I am able to work around this by setting the jwkSetUri as part of the filterChain security configuration (on the jwt object) either directly or using @value("${okta.oauth2.resourceserver.jwt.jwk-set-uri}"). Incidentally when I use @value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}") when the OAuth2ResourceServerProperties bean is created the the jwkSetUri property has been overwritten to the Okta defined default of ${okta.oauth2.issuer-with-path}/v1/keys.

So to summarize when attempting to configure the jwk-set-uri either in spring.security or in okta.oauth2 the value is not honored when the OAuth2ResourceServerProperties bean is created which is what the jwk decoder uses when it is created.

[jdwilkin]

I have further discovered the reason I have to set the jwk-set-uri manually instead of relying on .well-known/openid-configuration mechanism is because I am setting okta.oauth2.issuer dynamically via spring cloud config and by the time that has resolved the properties, OktaOAuth2PropertiesMappingEnvironmentPostProcessor has already run which is what is responsible for correctly fetching oidcmetadata