Document JwtClaimValidator

jzheaux · jzheaux · commit 93b8c656d8fe · 2020-03-04T14:47:44.000-07:00
Fixes gh-8076
diff --git a/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc b/docs/manual/src/docs/asciidoc/_includes/about/whats-new.adoc
@@ -36,7 +36,7 @@ Here's what you'll see in this release:
 * OAuth 2.0 Resource Server
 ** Added support for <<oauth2resourceserver-multitenancy,multiple issuers>>
 ** Added <<testing-opaque-token,test support for Opaque Tokens>>
-** Added https://github.com/spring-projects/spring-security/pull/7962[generic claim validator]
+** Added <<oauth2resourceserver-jwt-validation-custom,generic claim validator>>
 ** Added https://github.com/spring-projects/spring-security/issues/5185[XML support]
 ** Improved https://github.com/spring-projects/spring-security/pull/7826[bearer token error handling] for JWT and Opaque Token
 * SAML 2.0
diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-resourceserver.adoc
@@ -695,9 +695,19 @@ Adding a check for the `aud` claim is simple with the `OAuth2TokenValidator` API
 
 [source,java]
 ----
-public class AudienceValidator implements OAuth2TokenValidator<Jwt> {
-    OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);
+OAuth2TokenValidator<Jwt> audienceValidator() {
+    return new JwtClaimValidator<List<String>>(AUD, aud -> aud.contains("messaging"));
+}
+----
+
+Or, for more control you can implement your own `OAuth2TokenValidator`:
+
+[source,java]
+----
+static class AudienceValidator implements OAuth2TokenValidator<Jwt> {
+    OAuth2Error error = new OAuth2Error("custom_code", "Custom error message", null);
 
+    @Override
     public OAuth2TokenValidatorResult validate(Jwt jwt) {
         if (jwt.getAudience().contains("messaging")) {
             return OAuth2TokenValidatorResult.success();
@@ -706,6 +716,12 @@ public class AudienceValidator implements OAuth2TokenValidator<Jwt> {
         }
     }
 }
+
+// ...
+
+OAuth2TokenValidator<Jwt> audienceValidator() {
+    return new AudienceValidator();
+}
 ----
 
 Then, to add into a resource server, it's a matter of specifying the `JwtDecoder` instance:
@@ -717,7 +733,7 @@ JwtDecoder jwtDecoder() {
     NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder)
         JwtDecoders.fromIssuerLocation(issuerUri);
 
-    OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator();
+    OAuth2TokenValidator<Jwt> audienceValidator = audienceValidator();
     OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuerUri);
     OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
 
