Spring Boot 2.3.4: Bug with JwtValidators.createDefaultWithIssuer(String)?

I found an odd behavior with JWT parsing and JwtValidators.

Scenario:

• Spring Boot OIDC client (for now a tiny web app, only displaying logged in user and some OIDC objects provided by Spring)
• Custom JwtDecoderFacotry<ClientRegistration> for ID-Token validation
• JwtValidatorFactory based on JwtValidators.createDefaultWithIssuer(String)

This worked well with Spring Boot version <= 2.2.10.

Debugging:

• NimbusJwtDecoder (JAR spring-security-oauth2-jose) uses claim set converters. The 'iss' (issuer) claim is handled as URL.
• JwtIssuerValidator (internally created by JwtValidators.createDefaultWithIssuer(String)) wraps a JwtClaimValidator<String>.
• this one finally calls equals() that is always false - it compares String with URL.

My current workaround is not calling JwtValidators.createDefaultWithIssuer() but just using the validators new JwtTimestampValidator() and an own implementation of OAuth2TokenValidator<Jwt> (with wrapping JwtClaimValidator<URL>).

Anyone else having trouble with this?

--Christian

It's a bug. Pull Request is created.