OAuth2 AS use shared secret key encoded JWT #springboot-oauth2-as-jwt

as.java

    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity httpSecurity,
                                                                      OAuth2TokenGenerator<?> tokenGenerator,
                                                                      RegisteredClientRepository registeredClientRepository) throws Exception {
        OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(httpSecurity);
        OAuth2AuthorizationServerConfigurer oAuth2AuthorizationServerConfigurer =
                httpSecurity.getConfigurer(OAuth2AuthorizationServerConfigurer.class);
        oAuth2AuthorizationServerConfigurer.registeredClientRepository(registeredClientRepository);

        // This is really what sets the use of JWT for access token only
        oAuth2AuthorizationServerConfigurer.tokenGenerator(tokenGenerator);
        return httpSecurity.build();
    }

    @Bean
    public OAuth2TokenGenerator<?> tokenGenerator(@Qualifier("sharedSecretJwtEncoder") JwtEncoder jwtEncoder,
                                                  OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer) {
        // Use inject encoder from below
        JwtGenerator jwtGenerator = new JwtGenerator(jwtEncoder);
        // Use injected customizer from below so that JWKSet is not required as we are using shared secret key
        jwtGenerator.setJwtCustomizer(jwtCustomizer);

        // If you need JWT for refresh token then you have to implement it a subclass of JwtGenerator for refresh token
        return new DelegatingOAuth2TokenGenerator(jwtGenerator);
    }

    // Used by tokenGenerator to set JWT header
    @Bean
    public OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
        return context -> {
            JwsHeader.Builder headers = context.getJwsHeader();
            if (context.getTokenType().equals(OAuth2TokenType.ACCESS_TOKEN) ||
                    context.getTokenType().equals(OAuth2TokenType.REFRESH_TOKEN)) {
                // We are using HS256 with shared secret key
                headers.algorithm(MacAlgorithm.HS256);
            }

            // Other customization
        };
    }

    // Used by tokenGenerator
    @Bean
    @Qualifier("sharedSecretJwtEncoder")
    public JwtEncoder jwtEncoder(@Qualifier("sharedSecretJwkSource") JWKSource<SecurityContext> jwkSource) {
        // Use shared secret
        return new NimbusJwtEncoder(jwkSource); // Use jwk source from below
    }

    // Shared secret key base JWKSource - used by jwtEncoder
    @Bean
    @Qualifier("sharedSecretJwkSource")
    public JWKSource<SecurityContext> jwkSource(@Value("${jwt.shared-secret-key}") String sharedSecretKey) {
        return new ImmutableSecret<SecurityContext>(
                new SecretKeySpec(sharedSecretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256"));
    }

as.properties

# Authorization server - register client with id client
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-id=client
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-name=client
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-secret=secret
spring.security.oauth2.authorizationserver.client.clientrs.registration.client-authentication-methods=client_secret_basic
spring.security.oauth2.authorizationserver.client.clientrs.registration.authorization-grant-types=authorization_code,refresh_token,client_credentials
spring.security.oauth2.authorizationserver.client.clientrs.registration.scopes=read
spring.security.oauth2.authorizationserver.client.clientrs.registration.redirect-uris=http://localhost:8080/login/oauth2/code/client
spring.security.oauth2.authorizationserver.client.clientrs.token.access-token-time-to-live=180s
spring.security.oauth2.authorizationserver.client.clientrs.token.refresh-token-time-to-live=1800s

jwt.properties

jwt.shared-secret-key=a8b5ea4c-3b26-11ee-be56-0242ac120002