Mark password grant for removal

This commit also updates link to the document "Best Current Practice for OAuth 2.0 Security" to point to RFC 9700. Closes gh-16913
2025-05-30 08:42:13 +00:00 · 2025-04-09 11:14:23 -05:00 · 2025-04-09 11:14:23 -05:00 · 9d442c13de
commit 9d442c13de
parent 197ee38aa0
9 changed files with 58 additions and 63 deletions
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java
@ -138,13 +138,12 @@ public final class OAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * Configures support for the {@code password} grant.
 	 * @return the {@link OAuth2AuthorizedClientProviderBuilder}
-	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
-	 * of the Resource Owner Password Credentials grant. See reference
-	 * <a target="_blank" href=
-	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
-	 * 2.0 Security Best Current Practice.</a>
+	 * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+	 * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+	 * Current Practice.</a>
 	 */
-	@Deprecated
+	@Deprecated(since = "5.8", forRemoval = true)
 	public OAuth2AuthorizedClientProviderBuilder password() {
 		this.builders.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());
 		return OAuth2AuthorizedClientProviderBuilder.this;
@ -155,13 +154,12 @@ public final class OAuth2AuthorizedClientProviderBuilder {
 	 * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
 	 * further configuration
 	 * @return the {@link OAuth2AuthorizedClientProviderBuilder}
-	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
-	 * of the Resource Owner Password Credentials grant. See reference
-	 * <a target="_blank" href=
-	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
-	 * 2.0 Security Best Current Practice.</a>
+	 * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+	 * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+	 * Current Practice.</a>
 	 */
-	@Deprecated
+	@Deprecated(since = "5.8", forRemoval = true)
 	public OAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
 		PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders
 			.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -40,12 +40,12 @@ import org.springframework.util.StringUtils;
 * @since 5.2
 * @see OAuth2AuthorizedClientProvider
 * @see DefaultPasswordTokenResponseClient
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
- * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
- * 2.0 Security Best Current Practice.</a>
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+ * Current Practice.</a>
 */
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
 public final class PasswordOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {

 	private OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new DefaultPasswordTokenResponseClient();
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -40,12 +40,12 @@ import org.springframework.util.StringUtils;
 * @since 5.2
 * @see ReactiveOAuth2AuthorizedClientProvider
 * @see WebClientReactivePasswordTokenResponseClient
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
- * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
- * 2.0 Security Best Current Practice.</a>
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+ * Current Practice.</a>
 */
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
 public final class PasswordReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider {

 	private ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new WebClientReactivePasswordTokenResponseClient();
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -139,13 +139,12 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
 	/**
 	 * Configures support for the {@code password} grant.
 	 * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
-	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
-	 * of the Resource Owner Password Credentials grant. See reference
-	 * <a target="_blank" href=
-	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
-	 * 2.0 Security Best Current Practice.</a>
+	 * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+	 * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+	 * Current Practice.</a>
 	 */
-	@Deprecated
+	@Deprecated(since = "5.8", forRemoval = true)
 	public ReactiveOAuth2AuthorizedClientProviderBuilder password() {
 		this.builders.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class,
 				(k) -> new PasswordGrantBuilder());
@ -157,13 +156,12 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
 	 * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
 	 * further configuration
 	 * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
-	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
-	 * of the Resource Owner Password Credentials grant. See reference
-	 * <a target="_blank" href=
-	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
-	 * 2.0 Security Best Current Practice.</a>
+	 * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+	 * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+	 * Current Practice.</a>
 	 */
-	@Deprecated
+	@Deprecated(since = "5.8", forRemoval = true)
 	public ReactiveOAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
 		PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders
 			.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -52,12 +52,12 @@ import org.springframework.web.client.RestTemplate;
 * @see <a target="_blank" href=
 * "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
 * (Resource Owner Password Credentials Grant)</a>
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
- * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
- * 2.0 Security Best Current Practice.</a>
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+ * Current Practice.</a>
 */
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
 public final class DefaultPasswordTokenResponseClient
 		implements OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {

--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -35,12 +35,12 @@ import org.springframework.util.StringUtils;
 * @see <a target="_blank" href=
 * "https://tools.ietf.org/html/rfc6749#section-1.3.3">Section 1.3.3 Resource Owner
 * Password Credentials</a>
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
- * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
- * 2.0 Security Best Current Practice.</a>
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+ * Current Practice.</a>
 */
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
 public class OAuth2PasswordGrantRequest extends AbstractOAuth2AuthorizationGrantRequest {

 	private final String username;
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverter.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -38,7 +38,7 @@ import org.springframework.util.StringUtils;
 * @see RequestEntity
 * @deprecated Use {@link DefaultOAuth2TokenRequestParametersConverter} instead
 */
-@Deprecated(since = "6.4")
+@Deprecated(since = "6.4", forRemoval = true)
 public class OAuth2PasswordGrantRequestEntityConverter
 		extends AbstractOAuth2AuthorizationGrantRequestEntityConverter<OAuth2PasswordGrantRequest> {

--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -37,12 +37,12 @@ import org.springframework.web.reactive.function.client.WebClient;
 * @see <a target="_blank" href=
 * "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
 * (Resource Owner Password Credentials Grant)</a>
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
- * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
- * 2.0 Security Best Current Practice.</a>
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+ * Current Practice.</a>
 */
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
 public final class WebClientReactivePasswordTokenResponseClient
 		extends AbstractWebClientReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {

--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java
@ -48,13 +48,12 @@ public final class AuthorizationGrantType implements Serializable {
 	public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials");

 	/**
-	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
-	 * of the Resource Owner Password Credentials grant. See reference
-	 * <a target="_blank" href=
-	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
-	 * 2.0 Security Best Current Practice.</a>
+	 * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+	 * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+	 * Current Practice.</a>
 	 */
-	@Deprecated
+	@Deprecated(since = "5.8", forRemoval = true)
 	public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password");

 	/**