The CSRF token is created with a call to UUID.randomUUID which is blocking.
This change ensures this blocking call is done on the bounded elastic scheduler which supports blocking calls.
Fixes gh-8128
- Add "issuerUri" attribute to ClientRegistration.providerDetails for OpenID Connect Discovery 1.0 or OAuth 2.0 Authorization Server Metadata.
- Validate OidcIdToken "iss" claim against the OpenID Provider "issuerUri" value.
- Update documentation for client registration: it includes issuer-uri property now.
Fixes gh-8326
Some JVMs have blocking operations when accessing SecureRandom and thus
this needs to be performed in a pool that is larger than the number of
CPUs
Closes gh-7522
Fixed typo in JavaDoc. Actually, In these two cases, we are calling the constructor with a `boolean caseSensitive` which is equal to true. This means case sensitive
Spring MVC changed their default behavior in
https://github.com/spring-projects/spring-framework/issues/23915 This
causes failures in some of Spring Security's tests.
This explicitly sets useSuffixPatternMatch=true to ensure that Spring
Security still works if users have modified their defaults.
Closes gh-8493
Improve the documentation to show how to re-use the Opaquetoken properties of `OAuth2ResourceServerProperties` to set up basic auth in the configured `RestTemplate`.
The `io.freefair.aspectj.post-compile-weaving` plugin v5.0.1 includes [a fix](https://github.com/freefair/gradle-plugins/pull/213) that allows all tasks for `./gradlew classes` to be marked as `UP-TO-DATE` following an initial `./gradlew clean classes`. Without this fix, any compile task that is enhanced by the `io.freefair.aspectj.post-compile-weaving` plugin will incorrectly have compilation outputs configured as a _task input_, resulting in the task being out of date following a `clean compile`.
Before this commit, JdbcOAuth2AuthorizedClientService threw DuplicateKeyException when re-authorizing or when authorizing the same user from a different client.
This commit makes JdbcOAuth2AuthorizedClientService's saveAuthorizedClient method consistent with that of InMemoryOAuth2AuthorizedClientService.
Fixes gh-8425
- docs stated that empty authorityPrefix are allowed but implementation denied to use `""`
- commit removes the `hasText`-limitation but restricts to `notNull`
Fixes gh-8421
When the issuer is set in the provider metadata, we validate the iss
field of the ID Token against it.
The OpenID Connect Specification says this must always be validated.
But this would be a breaking change for applications configured other
than with ClientRegistrations.fromOidcIssuerLocation(issuer). This will
be done later with #8326
Fixes gh-8321
cbornet
Parikshit Dutta
Joe Grandja
Thomas Vitale
Dávid Kovács
Rob Winch
Mathieu Ouellet
Artyom Tarynin
Eleftheria Stein
Jean-Pierre Bergamin
Pei-Tang Huang
Josh Cummings
Andrii Hrytsiuk
Daz DeBoer
Leonard Brünings
Stav Shamir
Adam Millerchip
Julian Müller
Daniel Furtlehner
VonUniGE
corneliouz Bett