Spring security documentation https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#oauth2resourceserver-jwt-timeouts states that:
By default, Resource Server uses connection and socket timeouts of 30 seconds each for coordinating with the authorization server.
I created JwtDecoder in the following way:
@Bean
JwtDecoder jwtDecoder() {
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
return jwtDecoder;
}
jwkSetUri is set to some non-existent ip. Now, making request to my resource server gets a timeout (as expected) and the following exception is thrown:
An error occurred while attempting to decode the Jwt: Couldn't retrieve remote JWK set: org.springframework.web.client.ResourceAccessException: I/O error on GET request: Connect to jwkSetUri [jwkSetUri ] failed: connect timed out; nested exception is org.apache.http.conn.ConnectTimeoutException: Connect to jwkSetUri failed: connect timed out
However, the time after which the exception is thrown does not match what is described in the documentation. When I run the application on windows, it takes about 20 seconds. When I run on Linux, it takes about 2-3 minutes. It looks like it depends on the operating system. However, when I manually set the timeout as follows:
@Bean
public JwtDecoder jwtDecoder(RestTemplateBuilder builder) {
RestOperations rest = builder
.setConnectTimeout(Duration.ofSeconds(5))
.setReadTimeout(Duration.ofSeconds(5))
.build();
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).restOperations(rest).build();
return jwtDecoder;
}
Then as expected I get a timeout after 5 seconds. Am I missing something or the default value given in the documentation is incorrect?
