From 754fe7f457dc758c5de761b47efa244407cd34fe Mon Sep 17 00:00:00 2001
From: Steve Riesenberg <sriesenberg@vmware.com>
Date: Thu, 10 Nov 2022 16:02:33 -0600
Subject: [PATCH] Document deprecations in oauth2 modules

* oauth2-client
* oauth2-resource-server

Issue gh-12022
---
 docs/modules/ROOT/pages/migration.adoc | 155 +++++++++++++++++++++++++
 1 file changed, 155 insertions(+)

diff --git a/docs/modules/ROOT/pages/migration.adoc b/docs/modules/ROOT/pages/migration.adoc
index 8df66a205c..a749fbdce6 100644
--- a/docs/modules/ROOT/pages/migration.adoc
+++ b/docs/modules/ROOT/pages/migration.adoc
@@ -3972,6 +3972,136 @@ fun passwordEncoder(): PasswordEncoder {
 ----
 ====
 
+=== Deprecations in OAuth2 Client
+
+In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/client/index.adoc[OAuth2 Client].
+Each deprecation is listed below, along with a direct replacement.
+
+==== `ServletOAuth2AuthorizedClientExchangeFilterFunction`
+
+The method `setAccessTokenExpiresSkew(...)` can be replaced with one of:
+
+* `ClientCredentialsOAuth2AuthorizedClientProvider#setClockSkew(...)`
+* `RefreshTokenOAuth2AuthorizedClientProvider#setClockSkew(...)`
+* `JwtBearerOAuth2AuthorizedClientProvider#setClockSkew(...)`
+
+The method `setClientCredentialsTokenResponseClient(...)` can be replaced with the constructor `ServletOAuth2AuthorizedClientExchangeFilterFunction(OAuth2AuthorizedClientManager)`.
+
+[NOTE]
+====
+See xref:servlet/oauth2/client/authorization-grants.adoc#oauth2Client-client-creds-grant[Client Credentials] for more information.
+====
+
+==== `OidcUserInfo`
+
+The method `phoneNumberVerified(String)` can be replaced with `phoneNumberVerified(Boolean)`.
+
+==== `OAuth2AuthorizedClientArgumentResolver`
+
+The method `setClientCredentialsTokenResponseClient(...)` can be replaced with the constructor `OAuth2AuthorizedClientArgumentResolver(OAuth2AuthorizedClientManager)`.
+
+[NOTE]
+====
+See xref:servlet/oauth2/client/authorization-grants.adoc#oauth2Client-client-creds-grant[Client Credentials] for more information.
+====
+
+==== `ClaimAccessor`
+
+The method `containsClaim(...)` can be replaced with `hasClaim(...)`.
+
+==== `OidcClientInitiatedLogoutSuccessHandler`
+
+The method `setPostLogoutRedirectUri(URI)` can be replaced with `setPostLogoutRedirectUri(String)`.
+
+==== `HttpSessionOAuth2AuthorizationRequestRepository`
+
+The method `setAllowMultipleAuthorizationRequests(...)` has no direct replacement.
+
+==== `AuthorizationRequestRepository`
+
+The method `removeAuthorizationRequest(HttpServletRequest)` can be replaced with `removeAuthorizationRequest(HttpServletRequest, HttpServletResponse)`.
+
+==== `ClientRegistration`
+
+The method `getRedirectUriTemplate()` can be replaced with `getRedirectUri()`.
+
+==== `ClientRegistration.Builder`
+
+The method `redirectUriTemplate(...)` can be replaced with `redirectUri(...)`.
+
+==== `AbstractOAuth2AuthorizationGrantRequest`
+
+The constructor `AbstractOAuth2AuthorizationGrantRequest(AuthorizationGrantType)` can be replaced with `AbstractOAuth2AuthorizationGrantRequest(AuthorizationGrantType, ClientRegistration)`.
+
+==== `ClientAuthenticationMethod`
+
+The static field `BASIC` can be replaced with `CLIENT_SECRET_BASIC`.
+
+The static field `POST` can be replaced with `CLIENT_SECRET_POST`.
+
+==== `OAuth2AccessTokenResponseHttpMessageConverter`
+
+The field `tokenResponseConverter` has no direct replacement.
+
+The method `setTokenResponseConverter(...)` can be replaced with `setAccessTokenResponseConverter(...)`.
+
+The field `tokenResponseParametersConverter` has no direct replacement.
+
+The method `setTokenResponseParametersConverter(...)` can be replaced with `setAccessTokenResponseParametersConverter(...)`.
+
+==== `NimbusAuthorizationCodeTokenResponseClient`
+
+The class `NimbusAuthorizationCodeTokenResponseClient` can be replaced with `DefaultAuthorizationCodeTokenResponseClient`.
+
+==== `NimbusJwtDecoderJwkSupport`
+
+The class `NimbusJwtDecoderJwkSupport` can be replaced with `NimbusJwtDecoder` or `JwtDecoders`.
+
+==== `ImplicitGrantConfigurer`
+
+The class `ImplicitGrantConfigurer` has no direct replacement.
+
+[WARNING]
+====
+Use of the `implicit` grant type is not recommended and all related support is removed in Spring Security 6.
+====
+
+==== `AuthorizationGrantType`
+
+The static field `IMPLICIT` has no direct replacement.
+
+[WARNING]
+====
+Use of the `implicit` grant type is not recommended and all related support is removed in Spring Security 6.
+====
+
+==== `OAuth2AuthorizationResponseType`
+
+The static field `TOKEN` has no direct replacement.
+
+[WARNING]
+====
+Use of the `implicit` grant type is not recommended and all related support is removed in Spring Security 6.
+====
+
+==== `OAuth2AuthorizationRequest`
+
+The static method `implicit()` has no direct replacement.
+
+[WARNING]
+====
+Use of the `implicit` grant type is not recommended and all related support is removed in Spring Security 6.
+====
+
+=== Deprecations in OAuth2 Resource Server
+
+In Spring Security 6, deprecated classes and methods were removed from xref:servlet/oauth2/resource-server/index.adoc[OAuth2 Resource Server].
+Each deprecation is listed below, along with a direct replacement.
+
+==== `JwtAuthenticationConverter`
+
+The method `extractAuthorities(...)` can be replaced with `JwtGrantedAuthoritiesConverter#convert(...)`.
+
 == Reactive
 
 === Use `AuthorizationManager` for Method Security
@@ -4142,3 +4272,28 @@ http {
 ==== Opt-out Steps
 
 To opt-out of the 6.0 defaults and instead continue to pass `AuthenticationServiceException` on to ``ServerAuthenticationEntryPoint``s, you can follow the same steps as above, except set `rethrowAuthenticationServiceException` to false.
+
+=== Deprecations in OAuth2 Client
+
+==== `ServerOAuth2AuthorizedClientExchangeFilterFunction`
+
+The method `setAccessTokenExpiresSkew(...)` can be replaced with one of:
+
+* `ClientCredentialsReactiveOAuth2AuthorizedClientProvider#setClockSkew(...)`
+* `RefreshTokenReactiveOAuth2AuthorizedClientProvider#setClockSkew(...)`
+* `JwtBearerReactiveOAuth2AuthorizedClientProvider#setClockSkew(...)`
+
+The method `setClientCredentialsTokenResponseClient(...)` can be replaced with the constructor `ServerOAuth2AuthorizedClientExchangeFilterFunction(ReactiveOAuth2AuthorizedClientManager)`.
+
+[NOTE]
+====
+See xref:reactive/oauth2/client/authorization-grants.adoc#oauth2Client-client-creds-grant[Client Credentials] for more information.
+====
+
+==== `WebSessionOAuth2ServerAuthorizationRequestRepository`
+
+The method `setAllowMultipleAuthorizationRequests(...)` has no direct replacement.
+
+==== `UnAuthenticatedServerOAuth2AuthorizedClientRepository`
+
+The class `UnAuthenticatedServerOAuth2AuthorizedClientRepository` has no direct replacement. Usage of the class can be replaced with `AuthorizedClientServiceReactiveOAuth2AuthorizedClientManager`.