springboot Resource Server Auto-Configuration Should Allow a JwtDecoder and OpaqueTokenIntrospector

Spring Security supports JWTs and Opaque Tokens simultaneously via an AuthenticationManagerResolver:

http
    .oauth2ResourceServer(oauth2 -> oauth2
        .authenticationManagerResolver(...)
    );

Currently, though, if both oauth2.resourceserver.jwt.* and oauth2.resourceserver.opaquetoken.* properties are specified:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://idp.example.org
        opaquetoken:
          introspection-uri: https://idp.example.org/introspect
          client-id: client
          client-secret: secret

then Spring Boot throws an exception.

This makes sense when Spring Boot is providing the WebSecurityConfigurerAdapter and must either specify .oauth2ResourceServer().jwt() or .oauth2ResourceServer().opaqueToken() in the Spring Security DSL. But, if the application supplies its own WebSecurityConfigurerAdapter, then Spring Boot doesn't specify either of these.

Spring Boot should not error when both JWT and Opaque Token configurations are supplied and the application is supplying its own WebSecurityConfigurerAdapter.

EDIT: This is also true for ReactiveJwtDecoder, ReactiveOpaqueTokenIntrospector, and SecurityWebFilterChain on the reactive side

Comment From: mbhave

@jzheaux We made this change as part of #19426. Am I missing something?

Comment From: jzheaux

Oops, @mbhave! Nope, I missed that ticket somehow. Sorry for the noise and thank you for your quick response.