Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 09:12:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Mark password grant for removal

Browse Source 
This commit also updates link to the document "Best Current Practice for
OAuth 2.0 Security" to point to RFC 9700.

Closes gh-16913
This commit is contained in:
Steve Riesenberg 2025-04-09 11:14:23 -05:00
parent 197ee38aa0
commit 9d442c13de
No known key found for this signature in database
GPG Key ID: 3D0169B18AB8F0A9
9 changed files with 58 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java
View File

@ -138,13 +138,12 @@ public final class OAuth2AuthorizedClientProviderBuilder {
/** /**
* Configures support for the {@code password} grant. * Configures support for the {@code password} grant.
* @return the {@link OAuth2AuthorizedClientProviderBuilder} * @return the {@link OAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
* of the Resource Owner Password Credentials grant. See reference * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* <a target="_blank" href= * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth * Current Practice.</a>
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated @Deprecated(since = "5.8", forRemoval = true)
public OAuth2AuthorizedClientProviderBuilder password() { public OAuth2AuthorizedClientProviderBuilder password() {
this.builders.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder()); this.builders.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());
return OAuth2AuthorizedClientProviderBuilder.this; return OAuth2AuthorizedClientProviderBuilder.this;
@ -155,13 +154,12 @@ public final class OAuth2AuthorizedClientProviderBuilder {
* @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
* further configuration * further configuration
* @return the {@link OAuth2AuthorizedClientProviderBuilder} * @return the {@link OAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
* of the Resource Owner Password Credentials grant. See reference * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* <a target="_blank" href= * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth * Current Practice.</a>
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated @Deprecated(since = "5.8", forRemoval = true)
public OAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) { public OAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders
.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder()); .computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());

12
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -40,12 +40,12 @@ import org.springframework.util.StringUtils;
* @since 5.2 * @since 5.2
* @see OAuth2AuthorizedClientProvider * @see OAuth2AuthorizedClientProvider
* @see DefaultPasswordTokenResponseClient * @see DefaultPasswordTokenResponseClient
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href= * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
* 2.0 Security Best Current Practice.</a> * Current Practice.</a>
*/ */
@Deprecated @Deprecated(since = "5.8", forRemoval = true)
public final class PasswordOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider { public final class PasswordOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {
private OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new DefaultPasswordTokenResponseClient(); private OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new DefaultPasswordTokenResponseClient();

12
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -40,12 +40,12 @@ import org.springframework.util.StringUtils;
* @since 5.2 * @since 5.2
* @see ReactiveOAuth2AuthorizedClientProvider * @see ReactiveOAuth2AuthorizedClientProvider
* @see WebClientReactivePasswordTokenResponseClient * @see WebClientReactivePasswordTokenResponseClient
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href= * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
* 2.0 Security Best Current Practice.</a> * Current Practice.</a>
*/ */
@Deprecated @Deprecated(since = "5.8", forRemoval = true)
public final class PasswordReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider { public final class PasswordReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider {
private ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new WebClientReactivePasswordTokenResponseClient(); private ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new WebClientReactivePasswordTokenResponseClient();

24
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -139,13 +139,12 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
/** /**
* Configures support for the {@code password} grant. * Configures support for the {@code password} grant.
* @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder} * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
* of the Resource Owner Password Credentials grant. See reference * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* <a target="_blank" href= * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth * Current Practice.</a>
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated @Deprecated(since = "5.8", forRemoval = true)
public ReactiveOAuth2AuthorizedClientProviderBuilder password() { public ReactiveOAuth2AuthorizedClientProviderBuilder password() {
this.builders.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class, this.builders.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class,
(k) -> new PasswordGrantBuilder()); (k) -> new PasswordGrantBuilder());
@ -157,13 +156,12 @@ public final class ReactiveOAuth2AuthorizedClientProviderBuilder {
* @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
* further configuration * further configuration
* @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder} * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
* of the Resource Owner Password Credentials grant. See reference * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* <a target="_blank" href= * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth * Current Practice.</a>
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated @Deprecated(since = "5.8", forRemoval = true)
public ReactiveOAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) { public ReactiveOAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders
.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder()); .computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());

12
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2022 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -52,12 +52,12 @@ import org.springframework.web.client.RestTemplate;
* @see <a target="_blank" href= * @see <a target="_blank" href=
* "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response * "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
* (Resource Owner Password Credentials Grant)</a> * (Resource Owner Password Credentials Grant)</a>
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href= * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
* 2.0 Security Best Current Practice.</a> * Current Practice.</a>
*/ */
@Deprecated @Deprecated(since = "5.8", forRemoval = true)
public final class DefaultPasswordTokenResponseClient public final class DefaultPasswordTokenResponseClient
implements OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> { implements OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {

12
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2024 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -35,12 +35,12 @@ import org.springframework.util.StringUtils;
* @see <a target="_blank" href= * @see <a target="_blank" href=
* "https://tools.ietf.org/html/rfc6749#section-1.3.3">Section 1.3.3 Resource Owner * "https://tools.ietf.org/html/rfc6749#section-1.3.3">Section 1.3.3 Resource Owner
* Password Credentials</a> * Password Credentials</a>
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href= * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
* 2.0 Security Best Current Practice.</a> * Current Practice.</a>
*/ */
@Deprecated @Deprecated(since = "5.8", forRemoval = true)
public class OAuth2PasswordGrantRequest extends AbstractOAuth2AuthorizationGrantRequest { public class OAuth2PasswordGrantRequest extends AbstractOAuth2AuthorizationGrantRequest {
private final String username; private final String username;

4
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverter.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2024 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -38,7 +38,7 @@ import org.springframework.util.StringUtils;
* @see RequestEntity * @see RequestEntity
* @deprecated Use {@link DefaultOAuth2TokenRequestParametersConverter} instead * @deprecated Use {@link DefaultOAuth2TokenRequestParametersConverter} instead
*/ */
@Deprecated(since = "6.4") @Deprecated(since = "6.4", forRemoval = true)
public class OAuth2PasswordGrantRequestEntityConverter public class OAuth2PasswordGrantRequestEntityConverter
extends AbstractOAuth2AuthorizationGrantRequestEntityConverter<OAuth2PasswordGrantRequest> { extends AbstractOAuth2AuthorizationGrantRequestEntityConverter<OAuth2PasswordGrantRequest> {

12
oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2024 the original author or authors. * Copyright 2002-2025 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -37,12 +37,12 @@ import org.springframework.web.reactive.function.client.WebClient;
* @see <a target="_blank" href= * @see <a target="_blank" href=
* "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response * "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
* (Resource Owner Password Credentials Grant)</a> * (Resource Owner Password Credentials Grant)</a>
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
* the Resource Owner Password Credentials grant. See reference <a target="_blank" href= * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
* 2.0 Security Best Current Practice.</a> * Current Practice.</a>
*/ */
@Deprecated @Deprecated(since = "5.8", forRemoval = true)
public final class WebClientReactivePasswordTokenResponseClient public final class WebClientReactivePasswordTokenResponseClient
extends AbstractWebClientReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> { extends AbstractWebClientReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {

11
oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java
View File

@ -48,13 +48,12 @@ public final class AuthorizationGrantType implements Serializable {
public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials"); public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials");
/** /**
* @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
* of the Resource Owner Password Credentials grant. See reference * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
* <a target="_blank" href= * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
* "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth * Current Practice.</a>
* 2.0 Security Best Current Practice.</a>
*/ */
@Deprecated @Deprecated(since = "5.8", forRemoval = true)
public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password"); public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password");
/** /**