RFC 9068 requires that access token JWTs include the `client_id`
claim, but it does not require resource servers to validate it against
a specific value.
Relates to gh-18381
Signed-off-by: Giacomo Baso <gbaso@users.noreply.github.com>
Given that RestClient does not read RequestEntity objects, let's
leave it out of a class built around using RestClient
Issue gh-18745
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Since similar classes have alternative versions using RestClient instead
of RestTemplate, I think we should do the same with this class.
Closes: gh-18745
Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
- Saml2RuntimeHints consistently uses String in separate method for
to ensure no classpath issues
- Fix Whitespace/Checkstyle
- Add Missing Nullability Annotations
- Add @since version
- Change variable name to match method name
Issue gh-18623
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
This commit makes so that fromOidcConfiguration throws the same exception
caused by chain as other configuration methods. Specifically, if parsing
throws a RuntimeException, this method will now wrap it in an
IllegalArgumentException as other configuration methods do.
This makes specific sense here since the RuntimeException is almost certainly
caused by a malformed configuration set handed in as a method parameter.
Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Align AOT hints with MemberCategory deprecation replacements
- Replace DECLARED_FIELDS with ACCESS_DECLARED_FIELDS in runtime hints
- Preserve 1:1 intent for Collections via registerType only
- Keep INVOKE_* only where it existed before
Closes spring-projectsgh-18432
Signed-off-by: gimgisu <gisu1102@gmail.com>
Restore Jackson 2 module runtime hints for passivity
- Keep Jackson 2 module registrations when jackson2 is present
- Extract Jackson 2 hint registration into a dedicated method
- Suppress removal warnings only for the Jackson 2 registration
Closes spring-projectsgh-18432
Signed-off-by: gimgisu <gisu1102@gmail.com>
OAuth2AuthorizationRequestRedirectFilterTests attempt to validate the constructors throw IllegalArgumentException if an invalid argument is provided, but
they are flawed because it is the relective code that is throwing the IllegalArgumentException due to imprecise type information.
This changes the tests to no longer use unnecessary reflection and casts the types so that the type information is used to target the correct
constructor.
Closes gh-18507
To prevent future compiler warnings from being introduced, this change
applies the `compile-warnings-error` plugin to the
`spring-security-oauth2-core` module.
This ensures that any new warnings will fail the build, maintaining
code quality and preventing warning accumulation.
Fixes: gh-18434
Signed-off-by: Pavel Vassiliev <paulvas@gmail.com>
Signed-off-by: paulvas <paulvas@gmail.com>
This test encodes an JWT with NimbusJwtEncoder, and then decodes it with
NimbusJwtDecoder.
This test will fail when NimbusJwtEncoder emits a JWT with a wrong `typ'
parameter in the header, as NimbusJwtDecoder validates the JWT with
JwtTypeValidator by default. It may be beneficial for finding out other
similiar bugs too.
Signed-off-by: Ziqin Wang <ziqin@wangziqin.net>
The warning is unnecessary since PKCE only applies to authorization_code
flow and the code already corrects this silently.
Closes: gh-18221
Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
