From 95155ddb0c7b816267d3c497987387baa8344b12 Mon Sep 17 00:00:00 2001 From: Joe Grandja Date: Fri, 15 Jul 2022 15:46:33 -0400 Subject: [PATCH] Deprecate Resource Owner Password Credentials grant Closes gh-11590 --- .../OAuth2AuthorizedClientProviderBuilder.java | 12 ++++++++++++ .../PasswordOAuth2AuthorizedClientProvider.java | 7 ++++++- ...sswordReactiveOAuth2AuthorizedClientProvider.java | 7 ++++++- ...eactiveOAuth2AuthorizedClientProviderBuilder.java | 12 ++++++++++++ .../endpoint/DefaultPasswordTokenResponseClient.java | 7 ++++++- .../client/endpoint/OAuth2PasswordGrantRequest.java | 7 ++++++- ...WebClientReactivePasswordTokenResponseClient.java | 7 ++++++- .../security/oauth2/core/AuthorizationGrantType.java | 8 ++++++++ 8 files changed, 62 insertions(+), 5 deletions(-) diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java index 10a048f185..ff504b311d 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java @@ -137,7 +137,13 @@ public final class OAuth2AuthorizedClientProviderBuilder { /** * Configures support for the {@code password} grant. * @return the {@link OAuth2AuthorizedClientProviderBuilder} + * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use + * of the Resource Owner Password Credentials grant. See reference + * OAuth + * 2.0 Security Best Current Practice. */ + @Deprecated public OAuth2AuthorizedClientProviderBuilder password() { this.builders.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder()); return OAuth2AuthorizedClientProviderBuilder.this; @@ -148,7 +154,13 @@ public final class OAuth2AuthorizedClientProviderBuilder { * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for * further configuration * @return the {@link OAuth2AuthorizedClientProviderBuilder} + * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use + * of the Resource Owner Password Credentials grant. See reference + * OAuth + * 2.0 Security Best Current Practice. */ + @Deprecated public OAuth2AuthorizedClientProviderBuilder password(Consumer builderConsumer) { PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders .computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder()); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java index d7c5f188c6..04b12cd3f5 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -40,7 +40,12 @@ import org.springframework.util.StringUtils; * @since 5.2 * @see OAuth2AuthorizedClientProvider * @see DefaultPasswordTokenResponseClient + * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of + * the Resource Owner Password Credentials grant. See reference OAuth + * 2.0 Security Best Current Practice. */ +@Deprecated public final class PasswordOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider { private OAuth2AccessTokenResponseClient accessTokenResponseClient = new DefaultPasswordTokenResponseClient(); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java index a353041617..20941a6b17 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -40,7 +40,12 @@ import org.springframework.util.StringUtils; * @since 5.2 * @see ReactiveOAuth2AuthorizedClientProvider * @see WebClientReactivePasswordTokenResponseClient + * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of + * the Resource Owner Password Credentials grant. See reference OAuth + * 2.0 Security Best Current Practice. */ +@Deprecated public final class PasswordReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider { private ReactiveOAuth2AccessTokenResponseClient accessTokenResponseClient = new WebClientReactivePasswordTokenResponseClient(); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java index c9483fa16b..0e8214bcf1 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java @@ -139,7 +139,13 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder { /** * Configures support for the {@code password} grant. * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder} + * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use + * of the Resource Owner Password Credentials grant. See reference + * OAuth + * 2.0 Security Best Current Practice. */ + @Deprecated public ReactiveOAuth2AuthorizedClientProviderBuilder password() { this.builders.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder()); @@ -151,7 +157,13 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder { * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for * further configuration * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder} + * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use + * of the Resource Owner Password Credentials grant. See reference + * OAuth + * 2.0 Security Best Current Practice. */ + @Deprecated public ReactiveOAuth2AuthorizedClientProviderBuilder password(Consumer builderConsumer) { PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders.computeIfAbsent( PasswordReactiveOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder()); diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java index 047e787885..2afdde28d6 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -53,7 +53,12 @@ import org.springframework.web.client.RestTemplate; * @see Section 4.3.3 Access Token Response * (Resource Owner Password Credentials Grant) + * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of + * the Resource Owner Password Credentials grant. See reference OAuth + * 2.0 Security Best Current Practice. */ +@Deprecated public final class DefaultPasswordTokenResponseClient implements OAuth2AccessTokenResponseClient { diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java index 7cddb4c2e1..5710214f21 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,7 +30,12 @@ import org.springframework.util.Assert; * @see Section 1.3.3 Resource Owner * Password Credentials + * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of + * the Resource Owner Password Credentials grant. See reference OAuth + * 2.0 Security Best Current Practice. */ +@Deprecated public class OAuth2PasswordGrantRequest extends AbstractOAuth2AuthorizationGrantRequest { private final String username; diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java index bac8801ea6..07d4beef2b 100644 --- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java +++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -42,7 +42,12 @@ import org.springframework.web.reactive.function.client.WebClient; * @see Section 4.3.3 Access Token Response * (Resource Owner Password Credentials Grant) + * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of + * the Resource Owner Password Credentials grant. See reference OAuth + * 2.0 Security Best Current Practice. */ +@Deprecated public final class WebClientReactivePasswordTokenResponseClient extends AbstractWebClientReactiveOAuth2AccessTokenResponseClient { diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java index 755b53822b..e32a01c721 100644 --- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java +++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java @@ -57,6 +57,14 @@ public final class AuthorizationGrantType implements Serializable { public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials"); + /** + * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use + * of the Resource Owner Password Credentials grant. See reference + * OAuth + * 2.0 Security Best Current Practice. + */ + @Deprecated public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password"); /**