From b6ed037c3992a3ee86e668997a8f9980006981d0 Mon Sep 17 00:00:00 2001 From: Joe Grandja <10884212+jgrandja@users.noreply.github.com> Date: Fri, 31 Oct 2025 06:38:09 -0400 Subject: [PATCH] Document device_code grant disabled by default Issue gh-17998 --- .../authorization-server/configuration-model.adoc | 10 +++++++--- .../authorization-server/protocol-endpoints.adoc | 6 ++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/configuration-model.adoc b/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/configuration-model.adoc index 06a62990d3..47f0c3c7b3 100644 --- a/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/configuration-model.adoc +++ b/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/configuration-model.adoc @@ -11,8 +11,6 @@ The OAuth2 authorization server `SecurityFilterChain` `@Bean` is configured with the following default protocol endpoints: * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-authorization-endpoint[OAuth2 Authorization endpoint] -* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-authorization-endpoint[OAuth2 Device Authorization Endpoint] -* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-verification-endpoint[OAuth2 Device Verification Endpoint] * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-endpoint[OAuth2 Token endpoint] * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-introspection-endpoint[OAuth2 Token Introspection endpoint] * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-revocation-endpoint[OAuth2 Token Revocation endpoint] @@ -23,7 +21,13 @@ The OAuth2 authorization server `SecurityFilterChain` `@Bean` is configured with The JWK Set endpoint is configured *only* if a `JWKSource` `@Bean` is registered. [NOTE] -The xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-client-registration-endpoint[OAuth2 Client Registration endpoint] is disabled by default. +==== +The following protocol endpoints are disabled by default: + +* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-authorization-endpoint[OAuth2 Device Authorization Endpoint] +* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-verification-endpoint[OAuth2 Device Verification Endpoint] +* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-client-registration-endpoint[OAuth2 Client Registration endpoint] +==== The following example shows how to use `OAuth2AuthorizationServerConfiguration` to apply the minimal default configuration: diff --git a/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/protocol-endpoints.adoc b/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/protocol-endpoints.adoc index b62621f30d..967ff73adc 100644 --- a/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/protocol-endpoints.adoc +++ b/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/protocol-endpoints.adoc @@ -271,6 +271,9 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h <6> `errorResponseHandler()`: The `AuthenticationFailureHandler` (_post-processor_) used for handling an `OAuth2AuthenticationException` and returning the https://datatracker.ietf.org/doc/html/rfc6749#section-5.2[OAuth2Error response]. <7> `verificationUri()`: The `URI` of the custom end-user verification page to direct resource owners to on a secondary device. +[NOTE] +The OAuth2 Device Authorization endpoint is disabled by default. + `OAuth2DeviceAuthorizationEndpointConfigurer` configures the `OAuth2DeviceAuthorizationEndpointFilter` and registers it with the OAuth2 authorization server `SecurityFilterChain` `@Bean`. `OAuth2DeviceAuthorizationEndpointFilter` is the `Filter` that processes OAuth2 device authorization requests. @@ -319,6 +322,9 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h <6> `errorResponseHandler()`: The `AuthenticationFailureHandler` (_post-processor_) used for handling an `OAuth2AuthenticationException` and returning the error response. <7> `consentPage()`: The `URI` of the custom consent page to redirect resource owners to if consent is required during the device verification request flow. +[NOTE] +The OAuth2 Device Verification endpoint is disabled by default. + `OAuth2DeviceVerificationEndpointConfigurer` configures the `OAuth2DeviceVerificationEndpointFilter` and registers it with the OAuth2 authorization server `SecurityFilterChain` `@Bean`. `OAuth2DeviceVerificationEndpointFilter` is the `Filter` that processes OAuth2 device verification requests (and consents).