- Support has been added for "RFC7636: Proof Key for Code Exchange by OAuth Public Clients" (PKCE, pronounced "pixy") to mitigate against attacks targeting the interception of the authorization code
- PkceParameterNames was added for the 3 additional parameters used by PKCE (i.e. code_verifier, code_challenge, and code_challenge_method)
- Default code_verifier length has been set to 128 characters--the maximum allowed by RFC7636
- ClientAuthenticationMethod.NONE was added to allow clients to request tokens without providing a client secret
Fixes gh-6446
When we used the oauth2Client directive and requested an endpoint that
required client authorization on the authorization server, the
SPRING_SECURITY_SAVED_REQUEST was not persisted, and therefore after
creating the authorized client we were redirected to the root page ("/").
Now we are storing the session attribute and getting redirected back to
the original URI as expected.
Note that the attribute is stored only when a
ClientAuthorizationRequiredException is thrown in the chain, we dont
want to store it as a response to the
/oauth2/authorization/{registrationId} endpoint, since we would end
up in an infinite loop
Fixes gh-6341
This commit ensures that the JwtDecoderFactory is not a private field inside
the Oidc authentication provider by extracting this class and giving the
possibility to customize the way different providers are validated.
Fixes: gh-6379
Once client credentials access token has expired retrieve a new token from the OAuth2 authorization server.
These tokens can't be refreshed because they do not have a refresh token associated with. This is standard behaviour for Oauth 2 client credentails
Fixes gh-5893
The Authorization header was matched for OAuth2
against the "Bearer" keyword in a case sensitive
fashion.
According to RFC 2617, it should be case insensitive
and some oauth clients (including some earlier
versions of spring-security) expect it so.
This is the reactive counterpart to commit
63f2b6094f59cc9ded6a83ac3def4a1726890a8b .
Fixes gh-6195
The Authorization header was matched for OAuth2
against the "Bearer" keyword in a case sensitive
fashion.
According to RFC 2617, it should be case insensitive
and some oauth clients (including some earlier
versions of spring-security) expect it so.
Added the ability to specify a custom WebClient in
WebClientReactiveClientCredentialsTokenResponseClient.
Also added testing to ensure the custom WebClient is not null and is
used.
Fixes: gh-6051
