From 9d442c13de5be1150b92fda1a88443853ec72495 Mon Sep 17 00:00:00 2001
From: Steve Riesenberg <5248162+sjohnr@users.noreply.github.com>
Date: Wed, 9 Apr 2025 11:14:23 -0500
Subject: [PATCH] Mark password grant for removal
This commit also updates link to the document "Best Current Practice for
OAuth 2.0 Security" to point to RFC 9700.
Closes gh-16913
---
...OAuth2AuthorizedClientProviderBuilder.java | 22 ++++++++---------
...asswordOAuth2AuthorizedClientProvider.java | 12 +++++-----
...eactiveOAuth2AuthorizedClientProvider.java | 12 +++++-----
...OAuth2AuthorizedClientProviderBuilder.java | 24 +++++++++----------
.../DefaultPasswordTokenResponseClient.java | 12 +++++-----
.../endpoint/OAuth2PasswordGrantRequest.java | 12 +++++-----
...h2PasswordGrantRequestEntityConverter.java | 4 ++--
...ntReactivePasswordTokenResponseClient.java | 12 +++++-----
.../oauth2/core/AuthorizationGrantType.java | 11 ++++-----
9 files changed, 58 insertions(+), 63 deletions(-)
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java
index 316b2d5c13..74026e7e56 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java
@@ -138,13 +138,12 @@ public final class OAuth2AuthorizedClientProviderBuilder {
/**
* Configures support for the {@code password} grant.
* @return the {@link OAuth2AuthorizedClientProviderBuilder}
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
- * of the Resource Owner Password Credentials grant. See reference
- * OAuth
- * 2.0 Security Best Current Practice.
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best
+ * Current Practice.
*/
- @Deprecated
+ @Deprecated(since = "5.8", forRemoval = true)
public OAuth2AuthorizedClientProviderBuilder password() {
this.builders.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());
return OAuth2AuthorizedClientProviderBuilder.this;
@@ -155,13 +154,12 @@ public final class OAuth2AuthorizedClientProviderBuilder {
* @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
* further configuration
* @return the {@link OAuth2AuthorizedClientProviderBuilder}
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
- * of the Resource Owner Password Credentials grant. See reference
- * OAuth
- * 2.0 Security Best Current Practice.
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best
+ * Current Practice.
*/
- @Deprecated
+ @Deprecated(since = "5.8", forRemoval = true)
public OAuth2AuthorizedClientProviderBuilder password(Consumer builderConsumer) {
PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders
.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java
index 04b12cd3f5..c3c80284af 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -40,12 +40,12 @@ import org.springframework.util.StringUtils;
* @since 5.2
* @see OAuth2AuthorizedClientProvider
* @see DefaultPasswordTokenResponseClient
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference OAuth
- * 2.0 Security Best Current Practice.
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best
+ * Current Practice.
*/
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
public final class PasswordOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {
private OAuth2AccessTokenResponseClient accessTokenResponseClient = new DefaultPasswordTokenResponseClient();
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java
index f83b9b338d..b3229a8b01 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -40,12 +40,12 @@ import org.springframework.util.StringUtils;
* @since 5.2
* @see ReactiveOAuth2AuthorizedClientProvider
* @see WebClientReactivePasswordTokenResponseClient
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference OAuth
- * 2.0 Security Best Current Practice.
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best
+ * Current Practice.
*/
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
public final class PasswordReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider {
private ReactiveOAuth2AccessTokenResponseClient accessTokenResponseClient = new WebClientReactivePasswordTokenResponseClient();
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
index 3ad1d8bba9..f75de34304 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -139,13 +139,12 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
/**
* Configures support for the {@code password} grant.
* @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
- * of the Resource Owner Password Credentials grant. See reference
- * OAuth
- * 2.0 Security Best Current Practice.
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best
+ * Current Practice.
*/
- @Deprecated
+ @Deprecated(since = "5.8", forRemoval = true)
public ReactiveOAuth2AuthorizedClientProviderBuilder password() {
this.builders.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class,
(k) -> new PasswordGrantBuilder());
@@ -157,13 +156,12 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
* @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
* further configuration
* @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
- * of the Resource Owner Password Credentials grant. See reference
- * OAuth
- * 2.0 Security Best Current Practice.
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best
+ * Current Practice.
*/
- @Deprecated
+ @Deprecated(since = "5.8", forRemoval = true)
public ReactiveOAuth2AuthorizedClientProviderBuilder password(Consumer builderConsumer) {
PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders
.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java
index 0fd6145a34..8b27ec5a1a 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -52,12 +52,12 @@ import org.springframework.web.client.RestTemplate;
* @see Section 4.3.3 Access Token Response
* (Resource Owner Password Credentials Grant)
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference OAuth
- * 2.0 Security Best Current Practice.
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best
+ * Current Practice.
*/
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
public final class DefaultPasswordTokenResponseClient
implements OAuth2AccessTokenResponseClient {
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java
index f192d8b1ec..48f78f8628 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -35,12 +35,12 @@ import org.springframework.util.StringUtils;
* @see Section 1.3.3 Resource Owner
* Password Credentials
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference OAuth
- * 2.0 Security Best Current Practice.
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best
+ * Current Practice.
*/
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
public class OAuth2PasswordGrantRequest extends AbstractOAuth2AuthorizationGrantRequest {
private final String username;
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverter.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverter.java
index 9d25da6e7e..1c0fc4aad9 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverter.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverter.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -38,7 +38,7 @@ import org.springframework.util.StringUtils;
* @see RequestEntity
* @deprecated Use {@link DefaultOAuth2TokenRequestParametersConverter} instead
*/
-@Deprecated(since = "6.4")
+@Deprecated(since = "6.4", forRemoval = true)
public class OAuth2PasswordGrantRequestEntityConverter
extends AbstractOAuth2AuthorizationGrantRequestEntityConverter {
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java
index 1de84db719..ff16eb855f 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java
@@ -1,5 +1,5 @@
/*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -37,12 +37,12 @@ import org.springframework.web.reactive.function.client.WebClient;
* @see Section 4.3.3 Access Token Response
* (Resource Owner Password Credentials Grant)
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference OAuth
- * 2.0 Security Best Current Practice.
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best
+ * Current Practice.
*/
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
public final class WebClientReactivePasswordTokenResponseClient
extends AbstractWebClientReactiveOAuth2AccessTokenResponseClient {
diff --git a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java
index ae8d054616..912af07729 100644
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java
@@ -48,13 +48,12 @@ public final class AuthorizationGrantType implements Serializable {
public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials");
/**
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
- * of the Resource Owner Password Credentials grant. See reference
- * OAuth
- * 2.0 Security Best Current Practice.
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best
+ * Current Practice.
*/
- @Deprecated
+ @Deprecated(since = "5.8", forRemoval = true)
public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password");
/**