Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Deprecate Resource Owner Password Credentials grant 

Closes gh-11590
This commit is contained in:
Joe Grandja 2022-07-15 15:46:33 -04:00
parent 1be9be97a1
commit 95155ddb0c
8 changed files with 62 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java
View File

@ -137,7 +137,13 @@ public final class OAuth2AuthorizedClientProviderBuilder {
/** /**
* Configures support for the {@code password} grant. * Configures support for the {@code password} grant.
* @return the {@link OAuth2AuthorizedClientProviderBuilder} * @return the {@link OAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
* of the Resource Owner Password Credentials grant. See reference
* <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated
public OAuth2AuthorizedClientProviderBuilder password() { public OAuth2AuthorizedClientProviderBuilder password() {
this.builders.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder()); this.builders.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());
return OAuth2AuthorizedClientProviderBuilder.this; return OAuth2AuthorizedClientProviderBuilder.this;
@ -148,7 +154,13 @@ public final class OAuth2AuthorizedClientProviderBuilder {
* @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
* further configuration * further configuration
* @return the {@link OAuth2AuthorizedClientProviderBuilder} * @return the {@link OAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
* of the Resource Owner Password Credentials grant. See reference
* <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated
public OAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) { public OAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders
.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder()); .computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());

7
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2020 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -40,7 +40,12 @@ import org.springframework.util.StringUtils;
* @since 5.2 * @since 5.2
* @see OAuth2AuthorizedClientProvider * @see OAuth2AuthorizedClientProvider
* @see DefaultPasswordTokenResponseClient * @see DefaultPasswordTokenResponseClient
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated
public final class PasswordOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider { public final class PasswordOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {
private OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new DefaultPasswordTokenResponseClient(); private OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new DefaultPasswordTokenResponseClient();

7
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2020 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -40,7 +40,12 @@ import org.springframework.util.StringUtils;
* @since 5.2 * @since 5.2
* @see ReactiveOAuth2AuthorizedClientProvider * @see ReactiveOAuth2AuthorizedClientProvider
* @see WebClientReactivePasswordTokenResponseClient * @see WebClientReactivePasswordTokenResponseClient
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated
public final class PasswordReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider { public final class PasswordReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider {
private ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new WebClientReactivePasswordTokenResponseClient(); private ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new WebClientReactivePasswordTokenResponseClient();

12
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
View File

@ -139,7 +139,13 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
/** /**
* Configures support for the {@code password} grant. * Configures support for the {@code password} grant.
* @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder} * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
* of the Resource Owner Password Credentials grant. See reference
* <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated
public ReactiveOAuth2AuthorizedClientProviderBuilder password() { public ReactiveOAuth2AuthorizedClientProviderBuilder password() {
this.builders.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class, this.builders.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class,
(k) -> new PasswordGrantBuilder()); (k) -> new PasswordGrantBuilder());
@ -151,7 +157,13 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
* @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
* further configuration * further configuration
* @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder} * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
* of the Resource Owner Password Credentials grant. See reference
* <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated
public ReactiveOAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) { public ReactiveOAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders.computeIfAbsent( PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders.computeIfAbsent(
PasswordReactiveOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder()); PasswordReactiveOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());

7
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -53,7 +53,12 @@ import org.springframework.web.client.RestTemplate;
* @see <a target="_blank" href= * @see <a target="_blank" href=
* "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response * "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
* (Resource Owner Password Credentials Grant)</a> * (Resource Owner Password Credentials Grant)</a>
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated
public final class DefaultPasswordTokenResponseClient public final class DefaultPasswordTokenResponseClient
implements OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> { implements OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {

7
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -30,7 +30,12 @@ import org.springframework.util.Assert;
* @see <a target="_blank" href= * @see <a target="_blank" href=
* "https://tools.ietf.org/html/rfc6749#section-1.3.3">Section 1.3.3 Resource Owner * "https://tools.ietf.org/html/rfc6749#section-1.3.3">Section 1.3.3 Resource Owner
* Password Credentials</a> * Password Credentials</a>
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated
public class OAuth2PasswordGrantRequest extends AbstractOAuth2AuthorizationGrantRequest { public class OAuth2PasswordGrantRequest extends AbstractOAuth2AuthorizationGrantRequest {
private final String username; private final String username;

7
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2020 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -42,7 +42,12 @@ import org.springframework.web.reactive.function.client.WebClient;
* @see <a target="_blank" href= * @see <a target="_blank" href=
* "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response * "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
* (Resource Owner Password Credentials Grant)</a> * (Resource Owner Password Credentials Grant)</a>
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated
public final class WebClientReactivePasswordTokenResponseClient public final class WebClientReactivePasswordTokenResponseClient
extends AbstractWebClientReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> { extends AbstractWebClientReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {

8
oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java
View File

@ -57,6 +57,14 @@ public final class AuthorizationGrantType implements Serializable {
public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials"); public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials");
/**
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
* of the Resource Owner Password Credentials grant. See reference
* <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
* 2.0 Security Best Current Practice.</a>
*/
@Deprecated
public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password"); public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password");
/** /**