Add timeouts for JWT decoder in AadResourceServerConfiguration

[berry120]

Set default read & connect timeouts on NimbusJwtDecoder.

Description

This spring security issue highlighted the potential for 15 minute (or longer) hangs due to the absence of explicit connect & read timeouts on the NimbusJwtDecoder. This is fixed in Spring Security, however the Azure SDK explicitly overrides restOperations in the NimbusJwtDecoder it creates, meaning we need the fix explicitly here, too.

As a current workaround, the following can be defined as a bean on a configuration class:

    @Bean
    RestTemplateBuilder restTemplateBuilder(RestTemplateBuilderConfigurer configurer) {
        return configurer.configure(new RestTemplateBuilder())
            .connectTimeout(Duration.ofMillis(JWKSourceBuilder.DEFAULT_HTTP_CONNECT_TIMEOUT))
            .readTimeout(Duration.ofMillis(JWKSourceBuilder.DEFAULT_HTTP_READ_TIMEOUT));
    }

However, this isn't ideal as it applies globally, and has to be specified in each project.

All SDK Contribution checklist:

• The pull request does not introduce [breaking changes]
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[github-actions]

Thank you for your contribution @berry120! We will review the pull request and get back to you soon.

[rujche]

Hi, @berry120 . Thanks for creating this PR. How about using RestTemplateCustomizer to add timeouts? Here are related codes: https://github.com/spring-projects/spring-boot/blob/bcecf922c6ee98d9451f414b4bf2213ed8f47922/module/spring-boot-restclient/src/main/java/org/springframework/boot/restclient/autoconfigure/RestTemplateAutoConfiguration.java#L48-L72

public final class RestTemplateAutoConfiguration {

	@Bean
	@Lazy
	RestTemplateBuilderConfigurer restTemplateBuilderConfigurer(
			ObjectProvider<ClientHttpRequestFactoryBuilder<?>> clientHttpRequestFactoryBuilder,
			ObjectProvider<HttpClientSettings> httpClientSettings,
			ObjectProvider<ClientHttpMessageConvertersCustomizer> convertersCustomizers,
			ObjectProvider<RestTemplateCustomizer> restTemplateCustomizers,
			ObjectProvider<RestTemplateRequestCustomizer<?>> restTemplateRequestCustomizers) {
		RestTemplateBuilderConfigurer configurer = new RestTemplateBuilderConfigurer();
		configurer.setRequestFactoryBuilder(clientHttpRequestFactoryBuilder.getIfAvailable());
		configurer.setClientSettings(httpClientSettings.getIfAvailable());
		configurer.setHttpMessageConvertersCustomizers(convertersCustomizers.orderedStream().toList());
		configurer.setRestTemplateCustomizers(restTemplateCustomizers.orderedStream().toList());
		configurer.setRestTemplateRequestCustomizers(restTemplateRequestCustomizers.orderedStream().toList());
		return configurer;
	}

	@Bean
	@Lazy
	@ConditionalOnMissingBean
	RestTemplateBuilder restTemplateBuilder(RestTemplateBuilderConfigurer restTemplateBuilderConfigurer) {
		return restTemplateBuilderConfigurer.configure(new RestTemplateBuilder());
	}

}

[Copilot]

Pull request overview

This PR updates the Spring Cloud Azure AAD resource server auto-configuration to ensure the internally created NimbusJwtDecoder uses explicit HTTP connect/read timeouts when retrieving the JWK set, preventing potentially long hangs when network timeouts aren’t otherwise configured.

Changes:

• Introduces default connect and read timeout values for the NimbusJwtDecoder JWK retrieval path.
• Applies these timeouts via RestTemplateBuilder when constructing the RestOperations used by the decoder.

[rujche]

Closing in favor of #49329