Deprecate ImplicitGrantConfigurer

Closes gh-8902
2020-08-04 07:18:43 -04:00 · 2020-08-04 07:18:43 -04:00 · 11cc94afd8
parent 4e5a304a8a
commit 11cc94afd8
1 changed files with 7 additions and 1 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -48,11 +48,17 @@ import org.springframework.util.Assert;
 * <li>{@link ClientRegistrationRepository}</li>
 * </ul>
 *
+ * @deprecated It is not recommended to use the implicit flow
+ * due to the inherent risks of returning access tokens in an HTTP redirect
+ * without any confirmation that it has been received by the client.
+ * See reference <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0 Implicit Grant</a>.
+ *
 * @author Joe Grandja
 * @since 5.0
 * @see OAuth2AuthorizationRequestRedirectFilter
 * @see ClientRegistrationRepository
 */
+@Deprecated
 public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>> extends
 	AbstractHttpConfigurer<ImplicitGrantConfigurer<B>, B> {