= OAuth 2.0 Migrations == Validate `typ` Header with `JwtTypeValidator` If when following the 6.5 preparatory steps you set `validateTypes` to `false`, you can now remove it. You can also remove explicitly adding `JwtTypeValidator` to the list of defaults. For example, change this: [tabs] ====== Java:: + [source,java,role="primary"] ---- @Bean JwtDecoder jwtDecoder() { NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location) .validateTypes(false) <1> // ... your remaining configuration .build(); jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators( new JwtIssuerValidator(location), JwtTypeValidator.jwt())); <2> return jwtDecoder; } ---- Kotlin:: + [source,kotlin,role="secondary"] ---- @Bean fun jwtDecoder(): JwtDecoder { val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location) .validateTypes(false) <1> // ... your remaining configuration .build() jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators( JwtIssuerValidator(location), JwtTypeValidator.jwt())) <2> return jwtDecoder } ---- ====== <1> - Switch off Nimbus verifying the `typ` <2> - Add the default `typ` validator to this: [tabs] ====== Java:: + [source,java,role="primary"] ---- @Bean JwtDecoder jwtDecoder() { NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location) // ... your remaining configuration <1> .build(); jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(location)); <2> return jwtDecoder; } ---- Kotlin:: + [source,kotlin,role="secondary"] ---- @Bean fun jwtDecoder(): JwtDecoder { val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location) // ... your remaining configuration .build() jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(location)) <2> return jwtDecoder } ---- ====== <1> - `validateTypes` now defaults to `false` <2> - `JwtTypeValidator#jwt` is added by all `createDefaultXXX` methods == Do Not Process `` GET Requests with `Saml2AuthenticationTokenConverter` Spring Security does not support processing `` payloads over GET as this is not supported by the SAML 2.0 spec. To better comply with this, `Saml2AuthenticationTokenConverter`, `OpenSaml4AuthenticationTokenConverter`, and `OpenSaml5AuthenticationTokenConverter` will not process GET requests by default as of Spring Security 8. To prepare for this, the property `shouldConvertGetRequests` is available. To use it, publish your own converter like so: [tabs] ====== Java:: + [source,java,role="primary"] ---- @Bean OpenSaml5AuthenticationTokenConverter authenticationConverter(RelyingPartyRegistrationRepository registrations) { OpenSaml5AuthenticationTokenConverter authenticationConverter = new OpenSaml5AuthenticationTokenConverter(registrations); authenticationConverter.setShouldConvertGetRequests(false); return authenticationConverter; } ---- Kotlin:: + [source,kotlin,role="secondary"] ---- @Bean fun authenticationConverter(val registrations: RelyingPartyRegistrationRepository): Saml2AuthenticationTokenConverter { val authenticationConverter = Saml2AuthenticationTokenConverter(registrations) authenticationConverter.setShouldConvertGetRequests(false) return authenticationConverter } ---- ====== If you must continue using `Saml2AuthenticationTokenConverter`, `OpenSaml4AuthenticationTokenConverter`, or `OpenSaml5AuthenticationTokenConverter` to process GET requests, you can call `setShouldConvertGetRequests` to `true.` == Provide an AuthenticationConverter to BearerTokenAuthenticationFilter In Spring Security 7, `BearerTokenAuthenticationFilter#setBearerTokenResolver` and `#setAuthenticaionDetailsSource` are deprecated in favor of configuring those on `BearerTokenAuthenticationConverter`. The `oauth2ResourceServer` DSL addresses most use cases and you need to nothing. If you are setting a `BearerTokenResolver` or `AuthenticationDetailsSource` directly on `BearerTokenAuthenticationFilter` similar to the following: [tabs] ====== Java:: + [source,java,role="primary"] ---- BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(authenticationManager); filter.setBearerTokenResolver(myBearerTokenResolver); filter.setAuthenticationDetailsSource(myAuthenticationDetailsSource); ---- Kotlin:: + [source,kotlin,role="secondary"] ---- val filter = BearerTokenAuthenticationFilter(authenticationManager) filter.setBearerTokenResolver(myBearerTokenResolver) filter.setAuthenticationDetailsSource(myAuthenticationDetailsSource) ---- ====== you are encouraged to use `BearerTokenAuthenticationConverter` to specify both: [tabs] ====== Java:: + [source,java,role="primary"] ---- BearerTokenAuthenticationConverter authenticationConverter = new BearerTokenAuthenticationConverter(); authenticationConverter.setBearerTokenResolver(myBearerTokenResolver); authenticationConverter.setAuthenticationDetailsSource(myAuthenticationDetailsSource); BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(authenticationManager, authenicationConverter); ---- Kotlin:: + [source,kotlin,role="secondary"] ---- val authenticationConverter = BearerTokenAuthenticationConverter() authenticationConverter.setBearerTokenResolver(myBearerTokenResolver) authenticationConverter.setAuthenticationDetailsSource(myAuthenticationDetailsSource) val filter = BearerTokenAuthenticationFilter(authenticationManager, authenticationConverter) ---- ======