diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/jwt/JwtDecoderRegistry.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/jwt/JwtDecoderRegistry.java
new file mode 100644
index 0000000000..9a9985a9e1
--- /dev/null
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/jwt/JwtDecoderRegistry.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client.authentication.jwt;
+
+import org.springframework.security.jwt.JwtDecoder;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+
+/**
+ * A registry for {@link JwtDecoder}'s that are associated to a {@link ClientRegistration}.
+ *
+ * @author Joe Grandja
+ * @since 5.0
+ * @see JwtDecoder
+ * @see ClientRegistration
+ */
+public interface JwtDecoderRegistry {
+
+	JwtDecoder getJwtDecoder(ClientRegistration registration);
+
+}
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/jwt/nimbus/NimbusJwtDecoderRegistry.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/jwt/nimbus/NimbusJwtDecoderRegistry.java
new file mode 100644
index 0000000000..5dc897cc89
--- /dev/null
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/jwt/nimbus/NimbusJwtDecoderRegistry.java
@@ -0,0 +1,60 @@
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.client.authentication.jwt.nimbus;
+
+import org.springframework.security.jwt.JwtDecoder;
+import org.springframework.security.jwt.nimbus.NimbusJwtDecoderJwkSupport;
+import org.springframework.security.oauth2.client.authentication.jwt.JwtDecoderRegistry;
+import org.springframework.security.oauth2.client.registration.ClientRegistration;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * A {@link JwtDecoderRegistry} that uses the <b>Nimbus JOSE + JWT SDK</b>
+ * to create/manage instances of {@link NimbusJwtDecoderJwkSupport} internally.
+ *
+ * @author Joe Grandja
+ * @since 5.0
+ * @see JwtDecoderRegistry
+ * @see NimbusJwtDecoderJwkSupport
+ * @see <a target="_blank" href="https://connect2id.com/products/nimbus-jose-jwt">Nimbus JOSE + JWT SDK</a>
+ */
+public class NimbusJwtDecoderRegistry implements JwtDecoderRegistry {
+	private final Map<String, JwtDecoder> jwtDecoders = new HashMap<>();
+
+	@Override
+	public JwtDecoder getJwtDecoder(ClientRegistration registration) {
+		Assert.notNull(registration, "registration cannot be null");
+		if (!this.jwtDecoders.containsKey(registration.getRegistrationId())) {
+			JwtDecoder jwtDecoder = this.createJwtDecoder(registration);
+			if (jwtDecoder != null) {
+				this.jwtDecoders.put(registration.getRegistrationId(), jwtDecoder);
+			}
+		}
+		return this.jwtDecoders.get(registration.getRegistrationId());
+	}
+
+	private JwtDecoder createJwtDecoder(ClientRegistration registration) {
+		JwtDecoder jwtDecoder = null;
+		if (StringUtils.hasText(registration.getProviderDetails().getJwkSetUri())) {
+			jwtDecoder = new NimbusJwtDecoderJwkSupport(registration.getProviderDetails().getJwkSetUri());
+		}
+		return jwtDecoder;
+	}
+}