Deprecate Resource Owner Password Credentials grant

Closes gh-11590
This commit is contained in:
Joe Grandja 2022-07-15 15:46:33 -04:00
parent 1be9be97a1
commit 95155ddb0c
8 changed files with 62 additions and 5 deletions

View File

@ -137,7 +137,13 @@ public final class OAuth2AuthorizedClientProviderBuilder {
/**
* Configures support for the {@code password} grant.
* @return the {@link OAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
* of the Resource Owner Password Credentials grant. See reference
* <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/
@Deprecated
public OAuth2AuthorizedClientProviderBuilder password() {
this.builders.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());
return OAuth2AuthorizedClientProviderBuilder.this;
@ -148,7 +154,13 @@ public final class OAuth2AuthorizedClientProviderBuilder {
* @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
* further configuration
* @return the {@link OAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
* of the Resource Owner Password Credentials grant. See reference
* <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/
@Deprecated
public OAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders
.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -40,7 +40,12 @@ import org.springframework.util.StringUtils;
* @since 5.2
* @see OAuth2AuthorizedClientProvider
* @see DefaultPasswordTokenResponseClient
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/
@Deprecated
public final class PasswordOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {
private OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new DefaultPasswordTokenResponseClient();

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -40,7 +40,12 @@ import org.springframework.util.StringUtils;
* @since 5.2
* @see ReactiveOAuth2AuthorizedClientProvider
* @see WebClientReactivePasswordTokenResponseClient
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/
@Deprecated
public final class PasswordReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider {
private ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new WebClientReactivePasswordTokenResponseClient();

View File

@ -139,7 +139,13 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
/**
* Configures support for the {@code password} grant.
* @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
* of the Resource Owner Password Credentials grant. See reference
* <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/
@Deprecated
public ReactiveOAuth2AuthorizedClientProviderBuilder password() {
this.builders.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class,
(k) -> new PasswordGrantBuilder());
@ -151,7 +157,13 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
* @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
* further configuration
* @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
* of the Resource Owner Password Credentials grant. See reference
* <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/
@Deprecated
public ReactiveOAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders.computeIfAbsent(
PasswordReactiveOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2019 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -53,7 +53,12 @@ import org.springframework.web.client.RestTemplate;
* @see <a target="_blank" href=
* "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
* (Resource Owner Password Credentials Grant)</a>
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/
@Deprecated
public final class DefaultPasswordTokenResponseClient
implements OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2021 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -30,7 +30,12 @@ import org.springframework.util.Assert;
* @see <a target="_blank" href=
* "https://tools.ietf.org/html/rfc6749#section-1.3.3">Section 1.3.3 Resource Owner
* Password Credentials</a>
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/
@Deprecated
public class OAuth2PasswordGrantRequest extends AbstractOAuth2AuthorizationGrantRequest {
private final String username;

View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2020 the original author or authors.
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -42,7 +42,12 @@ import org.springframework.web.reactive.function.client.WebClient;
* @see <a target="_blank" href=
* "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
* (Resource Owner Password Credentials Grant)</a>
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/
@Deprecated
public final class WebClientReactivePasswordTokenResponseClient
extends AbstractWebClientReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {

View File

@ -57,6 +57,14 @@ public final class AuthorizationGrantType implements Serializable {
public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials");
/**
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
* of the Resource Owner Password Credentials grant. See reference
* <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/
@Deprecated
public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password");
/**