From 204a612be122ec0daf54bb8085fd6dd149740131 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Sun, 23 Feb 2020 08:08:12 -0500 Subject: [PATCH] Deprecate Implicit Grant Fixes gh-8013 --- .../asciidoc/_includes/servlet/appendix/namespace.adoc | 2 +- .../_includes/servlet/oauth2/oauth2-client.adoc | 2 +- .../security/oauth2/core/AuthorizationGrantType.java | 10 ++++++++++ .../core/endpoint/OAuth2AuthorizationRequest.java | 5 +++++ 4 files changed, 17 insertions(+), 2 deletions(-) diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc index aed960fee3..c94132edb6 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/appendix/namespace.adoc @@ -1082,7 +1082,7 @@ The supported values are *basic*, *post* and *none* https://tools.ietf.org/html/ [[nsa-client-registration-authorization-grant-type]] * **authorization-grant-type** The OAuth 2.0 Authorization Framework defines four https://tools.ietf.org/html/rfc6749#section-1.3[Authorization Grant] types. -The supported values are `authorization_code`, `client_credentials`, `password` and `implicit`. +The supported values are `authorization_code`, `client_credentials` and `password`. [[nsa-client-registration-redirect-uri]] diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc index 57e6f44451..8e362f15de 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/oauth2/oauth2-client.adoc @@ -135,7 +135,7 @@ public final class ClientRegistration { <4> `clientAuthenticationMethod`: The method used to authenticate the Client with the Provider. The supported values are *basic*, *post* and *none* https://tools.ietf.org/html/rfc6749#section-2.1[(public clients)]. <5> `authorizationGrantType`: The OAuth 2.0 Authorization Framework defines four https://tools.ietf.org/html/rfc6749#section-1.3[Authorization Grant] types. - The supported values are `authorization_code`, `client_credentials`, `password` and `implicit`. + The supported values are `authorization_code`, `client_credentials` and `password`. <6> `redirectUriTemplate`: The client's registered redirect URI that the _Authorization Server_ redirects the end-user's user-agent to after the end-user has authenticated and authorized access to the client. <7> `scopes`: The scope(s) requested by the client during the Authorization Request flow, such as openid, email, or profile. diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java index 8eaf24e496..db0b8eb014 100644 --- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java +++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java @@ -36,7 +36,17 @@ import java.io.Serializable; public final class AuthorizationGrantType implements Serializable { private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID; public static final AuthorizationGrantType AUTHORIZATION_CODE = new AuthorizationGrantType("authorization_code"); + + /** + * It is not recommended to use the implicit flow + * due to the inherent risks of returning access tokens in an HTTP redirect + * without any confirmation that it has been received by the client. + * + * @see OAuth 2.0 Implicit Grant + */ + @Deprecated public static final AuthorizationGrantType IMPLICIT = new AuthorizationGrantType("implicit"); + public static final AuthorizationGrantType REFRESH_TOKEN = new AuthorizationGrantType("refresh_token"); public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials"); public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password"); diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java index 85c7a89814..28937c61c4 100644 --- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java +++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java @@ -186,8 +186,13 @@ public final class OAuth2AuthorizationRequest implements Serializable { /** * Returns a new {@link Builder}, initialized with the implicit grant type. * + * @deprecated It is not recommended to use the implicit flow + * due to the inherent risks of returning access tokens in an HTTP redirect + * without any confirmation that it has been received by the client. + * @see OAuth 2.0 Implicit Grant * @return the {@link Builder} */ + @Deprecated public static Builder implicit() { return new Builder(AuthorizationGrantType.IMPLICIT); }