📌 Problem Statement

When implementing multi-issuer JWT authentication in Spring Security (Spring Boot 3.x), the application failed to start with the following error:

Found 2 beans for type interface org.springframework.security.authentication.AuthenticationManager,
but none marked as primary

🔎 Root Cause Analysis

1. Default Spring Security Behavior

• Spring Boot auto-configuration expects at most one AuthenticationManager bean in the application context.
• It wires that global AuthenticationManager into HttpSecurityConfiguration.
• If multiple beans of type AuthenticationManager exist (without @Primary), Spring cannot decide which one to use → startup fails.

2. Our Multi-Issuer Setup

• We defined two beans manually:
  • adminAuthenticationManager
  • registeredAuthenticationManager
• Both were @Bean AuthenticationManager, so Spring registered them globally.
• Result: ambiguity during HttpSecurity initialization → crash.

3. Why This Is Wrong for Multi-Issuer JWT

• We don’t actually need a global AuthenticationManager.
• Instead, we need per-issuer AuthenticationManagers (admin + registered), resolved dynamically via JwtIssuerAuthenticationManagerResolver.
• Exposing them globally confuses Spring Security’s default fallback logic.

✅ The Working Solution

1. Build AuthenticationManagers inside the resolver