Skip to content

Align NimbusJwtDecoder HTTP timeout defaults with Nimbus by setting to 500ms #17669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Align NimbusJwtDecoder HTTP timeout defaults with Nimbus by setting to 500ms #17669

wants to merge 1 commit into from
+17 −1

Conversation

frido37
Copy link

@frido37 frido37 commented Aug 7, 2025

Summary
This change proposes a potential fix for spring-security#15866, which we encountered in a production environment.

Problem
We experienced a critical "stop-the-world" event lasting approximately 15 minutes due to the absence of connection and read timeouts in the default RestTemplate configuration used by NimbusJwtDecoder. Specifically, the underlying SimpleClientHttpRequestFactory does not define any timeouts, which can cause the application to hang indefinitely in certain network failure scenarios.

Current Workaround
To mitigate this in our own application, we use a JwkSetUriJwtDecoderBuilderCustomizer to configure the RestTemplate with appropriate timeouts. While this works, the current default behavior is problematic and may impact other users as well.

@Configuration
public class JwtDecoderConfig {

    @Bean
    public JwkSetUriJwtDecoderBuilderCustomizer jwkSetUriJwtDecoderBuilderCustomizer() {
        return builder -> {
            SimpleClientHttpRequestFactory requestFactory = new SimpleClientHttpRequestFactory();
            requestFactory.setConnectTimeout(RemoteJWKSet.DEFAULT_HTTP_CONNECT_TIMEOUT);
            requestFactory.setReadTimeout(RemoteJWKSet.DEFAULT_HTTP_READ_TIMEOUT);

            builder.restOperations(new RestTemplate(requestFactory));
        };
    }
}

Proposal
We suggest that reasonable default timeouts (both connect and read) should be applied to the RestTemplate used by default in NimbusJwtDecoder. This change will help prevent similar problems for others.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Aug 7, 2025
@frido37 frido37 mentioned this pull request Aug 7, 2025
Closed
jzheaux
jzheaux requested changes Aug 13, 2025
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @frido37, for the PR! I've left some feedback inline.

@jzheaux
Copy link
Contributor

jzheaux commented Aug 13, 2025

This is a note for myself:

As part of merging, upgrade instructions should be added to the 6.5 guide for how to update an application's configuration to use the new timeout values. In this way, they can know whether the new timeouts will be an issue before updating to 7.0.

@jzheaux jzheaux self-assigned this Aug 13, 2025
@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue type: enhancement A general enhancement in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) and removed status: waiting-for-triage An issue we've not yet triaged labels Aug 13, 2025
@jzheaux jzheaux changed the title Add timeout parameter to critical remote http call in mutex section Align NimbusJwtDecoder HTTP timeout defaults with Nimbus by setting to 500 ms Aug 13, 2025
@jzheaux jzheaux changed the title Align NimbusJwtDecoder HTTP timeout defaults with Nimbus by setting to 500 ms Align NimbusJwtDecoder HTTP timeout defaults with Nimbus by setting to 500ms Aug 13, 2025
@frido37
Copy link
Author

frido37 commented Aug 18, 2025

Thanks for the feedback. I Resolved it with the second commit.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Aug 18, 2025
@jzheaux jzheaux removed the status: feedback-provided Feedback has been provided label Aug 21, 2025
@jzheaux
Copy link
Contributor

jzheaux commented Aug 22, 2025
edited
Loading

Thanks, @frido37. Will you please squash your commits and then we can merge it?

In the future, if you publish a PR on a branch instead of main, I can help a bit more with cleanups like that.

Please also change your commit to the following title and description:

Provider Default Timeouts For JWK Retrieval

Issue gh-14269

@jzheaux jzheaux added the status: waiting-for-feedback We need additional information before we can continue label Aug 22, 2025
@frido37
Copy link
Author

frido37 commented Aug 23, 2025

I’ve squashed the commits and updated the commit message. Let me know if anything else is needed.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Aug 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees

@jzheaux jzheaux

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: feedback-provided Feedback has been provided type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@frido37 @jzheaux @spring-projects-issues