Configuring JWT Validation Timeouts in Spring Boot 4.0+

Fix connection timeout errors when validating Scalekit JWT tokens in Spring Boot 4.0.0 and later versions.

If you’re using Spring Boot 4.0.0 or later and experiencing connection timeout errors when validating JWT tokens from Scalekit, you’ll need to explicitly configure timeout values. This is a known issue affecting Spring Security’s OAuth2 resource server configuration.

The problem

Your Spring Boot application successfully configures the issuer-uri for JWT validation:

1
spring:
2
  security:
3
    oauth2:
4
      resourceserver:
5
        jwt:
6
          issuer-uri: https://auth.scalekit.com

But authentication fails with timeout errors like:

1
java.net.SocketTimeoutException: Connect timed out
2
  at org.springframework.security.oauth2.jwt.JwtDecoders.fromIssuerLocation

Why this happens

Starting with Spring Boot 4.0.0, Spring Security changed how it handles HTTP connections during JWT validation:

Before 4.0.0: Spring used default system timeouts (often much longer)
After 4.0.0: Spring enforces strict, short timeout defaults that can be too aggressive for production

When your application starts or validates its first JWT token, Spring Security:

Fetches the OpenID Connect discovery document from issuer-uri
Retrieves the JWKS (JSON Web Key Set) to verify token signatures
Caches these for future validations

If these initial requests timeout, authentication fails completely.

Who needs this fix

This issue specifically affects:

✅ Spring Boot applications version 4.0.0 or later
✅ Using issuer-uri for JWT validation (not manual jwk-set-uri)
✅ Production environments with network latency or firewall rules
✅ Applications experiencing intermittent authentication failures

You don’t need this if:

❌ Using Spring Boot 3.x or earlier
❌ Manually configuring jwk-set-uri instead of issuer-uri
❌ Already have custom RestTemplate or WebClient configurations

The solution

Configure explicit timeout values for the OAuth2 resource server’s HTTP client. Spring Security provides configuration properties specifically for this:

application.yml
application.properties

1
spring:
2
  security:
3
    oauth2:
4
      resourceserver:
5
        jwt:
6
          issuer-uri: https://auth.scalekit.com
7
          # Configure timeouts for JWKS and discovery endpoints
8
          client:
9
            registration:
10
              connect-timeout: 10000  # 10 seconds for connection
11
              read-timeout: 10000     # 10 seconds for reading response

1
spring.security.oauth2.resourceserver.jwt.issuer-uri=https://auth.scalekit.com
2
# Configure timeouts for JWKS and discovery endpoints
3
spring.security.oauth2.resourceserver.jwt.client.registration.connect-timeout=10000
4
spring.security.oauth2.resourceserver.jwt.client.registration.read-timeout=10000

Timeout values explained

connect-timeout: Maximum time (in milliseconds) to establish a connection to Scalekit’s servers
read-timeout: Maximum time (in milliseconds) to wait for a response after connection is established

Recommended values:

Development: 5000ms (5 seconds) for faster feedback
Production: 10000-15000ms (10-15 seconds) to handle network variability

Alternative: Programmatic configuration

If you need more control or want to configure this per-environment, use Java configuration:

1
import org.springframework.context.annotation.Bean;
2
import org.springframework.context.annotation.Configuration;
3
import org.springframework.http.client.SimpleClientHttpRequestFactory;
4
import org.springframework.security.oauth2.jwt.JwtDecoder;
5
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
6
import org.springframework.web.client.RestTemplate;
7

8
@Configuration
9
public class SecurityConfig {
10

11
    @Bean
12
    public JwtDecoder jwtDecoder() {
13
        // Create a RestTemplate with custom timeouts
14
        SimpleClientHttpRequestFactory factory = new SimpleClientHttpRequestFactory();
15
        factory.setConnectTimeout(10000);  // 10 seconds
16
        factory.setReadTimeout(10000);     // 10 seconds
17

18
        RestTemplate restTemplate = new RestTemplate(factory);
19

20
        // Use the custom RestTemplate for JWT validation
21
        return NimbusJwtDecoder
22
            .withIssuerLocation("https://auth.scalekit.com")
23
            .restOperations(restTemplate)
24
            .build();
25
    }
26
}

This approach gives you:

Full control over HTTP client configuration
Ability to add custom headers or interceptors
Environment-specific timeout tuning

Verifying the fix

After applying the configuration:

Restart your application - Spring Security initializes the JWT decoder on startup
Test authentication - Make a request with a valid Scalekit JWT token
Check logs - You should see successful JWKS retrieval:

1
DEBUG o.s.security.oauth2.jwt.JwtDecoder - Retrieved JWKS from https://auth.scalekit.com/.well-known/jwks.json

If you still see timeout errors:

Verify network connectivity to auth.scalekit.com
Check firewall rules allowing outbound HTTPS
Increase timeout values if your network has high latency

When to use standard Spring Security instead

This cookbook addresses a specific Spring Boot 4.0+ timeout issue. For general JWT validation setup:

Follow the Spring Security OAuth2 Resource Server documentation
Use Scalekit’s standard Java SDK for token validation if not using Spring Security
Consider the default issuer-uri configuration if you’re not experiencing timeouts