I'm using Oracle's OAM as an authentication provider. Our set-up mandates that the request to public JWKs endpoint (the one that you set with .jwkSetUri()) had a custom header:
x-oauth-identity-domain-name: AppSpecificDomainName
So far I was not able to find a proper parameter configuration in the Spring Security OpenID Connect framework.
I use Spring Security 5.8.4
I was able to make a dirty workaround to at least verify my set-up. I copied the source-code of the RestTempate class to exact same packege that is has in the Spring framework so that it would get class-loaded first.
Then I've modified the
protected <T> T doExecute(URI url, @Nullable HttpMethod method, @Nullable RequestCallback requestCallback, @Nullable ResponseExtractor<T> responseExtractor);
method and added header injection code:
...
ClientHttpRequest request = createRequest(url, method);
// Inject custom headers if this is a security-related outbound call
if (url.toString().startsWith("https://access.mycompany.com")) {
request.getHeaders().add("x-oauth-identity-domain-name", "AppSpecificDomainName");
}
...
but clearly I want a cleaner solution. Since this one is hardly maintainable.