This article goes over the handling of JwtDecoder bean when building an app using native images with the resource server starter.

When building an app using a native image with the resource server starter you will notice that the JwtDecoder bean doesn't get automatically configured. This happens when the property of the issuer-uri is not present in the environment at the time of creation.

It is important to understand the differences between using JVM deployments and GraalVM native images. Detailed information about the use of GraalVM native images can be found in the following documentation.

Packaging Spring Boot Applications - Introducing GraalVM Native Images: https://docs.spring.io/spring-boot/reference/packaging/native-image/introducing-graalvm-native-images.html#packaging.native-image.introducing-graalvm-native-images.understanding-aot-processing

The details of the minimal configuration needed to create a Resource Server using JWT can be found in the Spring official documentation.

OAuth 2.0 Resource Server JWT: https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html#_specifying_the_authorization_server

This documentation shows how to specify the authorization server to use:

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: https://idp.example.com/issuer

However, it is important to note that a placeholder needs to be present at the time of build time. This means the property needs to be present when the app builds for it to pick up the environment variable when it is deployed.

This can be achieved by adding the issuer-uri on an environment value prior to app build. It is important to mention that a placeholder value, e.g. ...issuer-uri: "<placeholder>" might be sufficient for the condition to be met.