Move spring.oauth2.* to security.oauth2.*

Unfortunately, we have no other choice to flip the ignoreUnknownFields
attribute of `SecurityProperties` has many different target are now set
for that namespace outside the class. See gh-3445 for a potential way
to improve that.

Closes gh-3327

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/SecurityProperties.java

@@ -31,7 +31,7 @@ import org.springframework.util.StringUtils;
  *
  * @author Dave Syer
  */
-@ConfigurationProperties(prefix = "security", ignoreUnknownFields = false)
+@ConfigurationProperties(prefix = "security")
 public class SecurityProperties implements SecurityPrerequisite {
 
 	/**

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/OAuth2ClientProperties.java

@@ -27,7 +27,7 @@ import org.springframework.boot.context.properties.ConfigurationProperties;
  * @author Stephane Nicoll
  * @since 1.3.0
  */
-@ConfigurationProperties("spring.oauth2.client")
+@ConfigurationProperties("security.oauth2.client")
 public class OAuth2ClientProperties {
 
 	/**

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/authserver/OAuth2AuthorizationServerConfiguration.java

@@ -83,7 +83,7 @@ public class OAuth2AuthorizationServerConfiguration extends
 
 		@PostConstruct
 		public void init() {
-			String prefix = "spring.oauth2.client";
+			String prefix = "security.oauth2.client";
 			boolean defaultSecret = this.credentials.isDefaultSecret();
 			logger.info(String.format(
 					"Initialized OAuth2 Client\n\n%s.clientId = %s\n%s.secret = %s\n\n",
@@ -101,7 +101,7 @@ public class OAuth2AuthorizationServerConfiguration extends
 		private OAuth2ClientProperties client;
 
 		@Bean
-		@ConfigurationProperties("spring.oauth2.client")
+		@ConfigurationProperties("security.oauth2.client")
 		public BaseClientDetails oauth2ClientDetails() {
 			BaseClientDetails details = new BaseClientDetails();
 			if (this.client.getClientId() == null) {

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2RestOperationsConfiguration.java

@@ -80,7 +80,7 @@ public class OAuth2RestOperationsConfiguration {
 	protected abstract static class BaseConfiguration {
 
 		@Bean
-		@ConfigurationProperties("spring.oauth2.client")
+		@ConfigurationProperties("security.oauth2.client")
 		@Primary
 		public AuthorizationCodeResourceDetails oauth2RemoteResource() {
 			AuthorizationCodeResourceDetails details = new AuthorizationCodeResourceDetails();
@@ -94,7 +94,7 @@ public class OAuth2RestOperationsConfiguration {
 	protected static class SingletonScopedConfiguration {
 
 		@Bean
-		@ConfigurationProperties("spring.oauth2.client")
+		@ConfigurationProperties("security.oauth2.client")
 		@Primary
 		public ClientCredentialsResourceDetails oauth2RemoteResource() {
 			ClientCredentialsResourceDetails details = new ClientCredentialsResourceDetails();
@@ -167,7 +167,7 @@ public class OAuth2RestOperationsConfiguration {
 	}
 
 	/**
-	 * Condition to check if a {@code spring.oauth2.client.client-id} is specified.
+	 * Condition to check if a {@code security.oauth2.client.client-id} is specified.
 	 */
 	static class OAuth2ClientIdCondition extends SpringBootCondition {
 
@@ -175,10 +175,10 @@ public class OAuth2RestOperationsConfiguration {
 		public ConditionOutcome getMatchOutcome(ConditionContext context,
 				AnnotatedTypeMetadata metadata) {
 			PropertyResolver resolver = new RelaxedPropertyResolver(
-					context.getEnvironment(), "spring.oauth2.client.");
+					context.getEnvironment(), "security.oauth2.client.");
 			String clientId = resolver.getProperty("client-id");
 			return new ConditionOutcome(StringUtils.hasLength(clientId),
-					"Non empty spring.oauth2.client.client-id");
+					"Non empty security.oauth2.client.client-id");
 		}
 
 	}

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2SsoProperties.java

@@ -24,7 +24,7 @@ import org.springframework.boot.context.properties.ConfigurationProperties;
  * @author Dave Syer
  * @since 1.3.0
  */
-@ConfigurationProperties("spring.oauth2.sso")
+@ConfigurationProperties("security.oauth2.sso")
 public class OAuth2SsoProperties {
 
 	public static final String DEFAULT_LOGIN_PATH = "/login";

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/OAuth2ResourceServerConfiguration.java

@@ -113,9 +113,9 @@ public class OAuth2ResourceServerConfiguration {
 				AnnotatedTypeMetadata metadata) {
 			Environment environment = context.getEnvironment();
 			RelaxedPropertyResolver resolver = new RelaxedPropertyResolver(environment,
-					"spring.oauth2.resource.");
+					"security.oauth2.resource.");
 			String client = environment
-					.resolvePlaceholders("${spring.oauth2.client.clientId:}");
+					.resolvePlaceholders("${security.oauth2.client.clientId:}");
 			if (StringUtils.hasText(client)) {
 				return ConditionOutcome.match("found client id");
 			}

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/ResourceServerProperties.java

@@ -35,7 +35,7 @@ import com.fasterxml.jackson.annotation.JsonIgnore;
  * @author Dave Syer
  * @since 1.3.0
  */
-@ConfigurationProperties("spring.oauth2.resource")
+@ConfigurationProperties("security.oauth2.resource")
 public class ResourceServerProperties implements Validator, BeanFactoryAware {
 
 	@JsonIgnore

spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/resource/ResourceServerTokenServicesConfiguration.java

@@ -294,7 +294,7 @@ public class ResourceServerTokenServicesConfiguration {
 				AnnotatedTypeMetadata metadata) {
 			Environment environment = context.getEnvironment();
 			RelaxedPropertyResolver resolver = new RelaxedPropertyResolver(environment,
-					"spring.oauth2.resource.");
+					"security.oauth2.resource.");
 			Boolean preferTokenInfo = resolver.getProperty("prefer-token-info",
 					Boolean.class);
 			if (preferTokenInfo == null) {
@@ -321,7 +321,7 @@ public class ResourceServerTokenServicesConfiguration {
 		public ConditionOutcome getMatchOutcome(ConditionContext context,
 				AnnotatedTypeMetadata metadata) {
 			RelaxedPropertyResolver resolver = new RelaxedPropertyResolver(
-					context.getEnvironment(), "spring.oauth2.resource.jwt.");
+					context.getEnvironment(), "security.oauth2.resource.jwt.");
 			String keyValue = resolver.getProperty("key-value");
 			String keyUri = resolver.getProperty("key-uri");
 			if (StringUtils.hasText(keyValue) || StringUtils.hasText(keyUri)) {

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/OAuth2AutoConfigurationTests.java

@@ -138,8 +138,8 @@ public class OAuth2AutoConfigurationTests {
 	public void testEnvironmentalOverrides() {
 		this.context = new AnnotationConfigEmbeddedWebApplicationContext();
 		EnvironmentTestUtils.addEnvironment(this.context,
-				"spring.oauth2.client.clientId:myclientid",
-				"spring.oauth2.client.clientSecret:mysecret");
+				"security.oauth2.client.clientId:myclientid",
+				"security.oauth2.client.clientSecret:mysecret");
 		this.context.register(AuthorizationAndResourceServerConfiguration.class,
 				MinimalSecureWebApplication.class);
 		this.context.refresh();
@@ -165,7 +165,7 @@ public class OAuth2AutoConfigurationTests {
 		this.context.register(ResourceServerConfiguration.class,
 				MinimalSecureWebApplication.class);
 		EnvironmentTestUtils.addEnvironment(this.context,
-				"spring.oauth2.resource.jwt.keyValue:DEADBEEF");
+				"security.oauth2.resource.jwt.keyValue:DEADBEEF");
 		this.context.refresh();
 		assertThat(countBeans(RESOURCE_SERVER_CONFIG), equalTo(1));
 		assertThat(countBeans(AUTHORIZATION_SERVER_CONFIG), equalTo(0));
@@ -190,7 +190,7 @@ public class OAuth2AutoConfigurationTests {
 	public void testAuthorizationServerOverride() {
 		this.context = new AnnotationConfigEmbeddedWebApplicationContext();
 		EnvironmentTestUtils.addEnvironment(this.context,
-				"spring.oauth2.resourceId:resource-id");
+				"security.oauth2.resourceId:resource-id");
 		this.context.register(AuthorizationAndResourceServerConfiguration.class,
 				CustomAuthorizationServer.class, MinimalSecureWebApplication.class);
 		this.context.refresh();

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/resource/ResourceServerTokenServicesConfigurationTests.java

@@ -82,8 +82,8 @@ public class ResourceServerTokenServicesConfigurationTests {
 	@Test
 	public void useRemoteTokenServices() {
 		EnvironmentTestUtils.addEnvironment(this.environment,
-				"spring.oauth2.resource.tokenInfoUri:http://example.com",
-				"spring.oauth2.resource.clientId=acme");
+				"security.oauth2.resource.tokenInfoUri:http://example.com",
+				"security.oauth2.resource.clientId=acme");
 		this.context = new SpringApplicationBuilder(ResourceConfiguration.class)
 				.environment(this.environment).web(false).run();
 		RemoteTokenServices services = this.context.getBean(RemoteTokenServices.class);
@@ -93,7 +93,7 @@ public class ResourceServerTokenServicesConfigurationTests {
 	@Test
 	public void switchToUserInfo() {
 		EnvironmentTestUtils.addEnvironment(this.environment,
-				"spring.oauth2.resource.userInfoUri:http://example.com");
+				"security.oauth2.resource.userInfoUri:http://example.com");
 		this.context = new SpringApplicationBuilder(ResourceConfiguration.class)
 				.environment(this.environment).web(false).run();
 		UserInfoTokenServices services = this.context
@@ -104,8 +104,8 @@ public class ResourceServerTokenServicesConfigurationTests {
 	@Test
 	public void userInfoNoClient() {
 		EnvironmentTestUtils.addEnvironment(this.environment,
-				"spring.oauth2.client.clientId=acme",
-				"spring.oauth2.resource.userInfoUri:http://example.com",
+				"security.oauth2.client.clientId=acme",
+				"security.oauth2.resource.userInfoUri:http://example.com",
 				"server.port=-1", "debug=true");
 		this.context = new SpringApplicationBuilder(ResourceNoClientConfiguration.class)
 				.environment(this.environment).web(true).run();
@@ -117,9 +117,9 @@ public class ResourceServerTokenServicesConfigurationTests {
 	@Test
 	public void preferUserInfo() {
 		EnvironmentTestUtils.addEnvironment(this.environment,
-				"spring.oauth2.resource.userInfoUri:http://example.com",
-				"spring.oauth2.resource.tokenInfoUri:http://example.com",
-				"spring.oauth2.resource.preferTokenInfo:false");
+				"security.oauth2.resource.userInfoUri:http://example.com",
+				"security.oauth2.resource.tokenInfoUri:http://example.com",
+				"security.oauth2.resource.preferTokenInfo:false");
 		this.context = new SpringApplicationBuilder(ResourceConfiguration.class)
 				.environment(this.environment).web(false).run();
 		UserInfoTokenServices services = this.context
@@ -130,7 +130,7 @@ public class ResourceServerTokenServicesConfigurationTests {
 	@Test
 	public void switchToJwt() {
 		EnvironmentTestUtils.addEnvironment(this.environment,
-				"spring.oauth2.resource.jwt.keyValue=FOOBAR");
+				"security.oauth2.resource.jwt.keyValue=FOOBAR");
 		this.context = new SpringApplicationBuilder(ResourceConfiguration.class)
 				.environment(this.environment).web(false).run();
 		DefaultTokenServices services = this.context.getBean(DefaultTokenServices.class);
@@ -140,7 +140,7 @@ public class ResourceServerTokenServicesConfigurationTests {
 	@Test
 	public void asymmetricJwt() {
 		EnvironmentTestUtils.addEnvironment(this.environment,
-				"spring.oauth2.resource.jwt.keyValue=" + PUBLIC_KEY);
+				"security.oauth2.resource.jwt.keyValue=" + PUBLIC_KEY);
 		this.context = new SpringApplicationBuilder(ResourceConfiguration.class)
 				.environment(this.environment).web(false).run();
 		DefaultTokenServices services = this.context.getBean(DefaultTokenServices.class);
@@ -150,7 +150,7 @@ public class ResourceServerTokenServicesConfigurationTests {
 	@Test
 	public void springSocialUserInfo() {
 		EnvironmentTestUtils.addEnvironment(this.environment,
-				"spring.oauth2.resource.userInfoUri:http://example.com",
+				"security.oauth2.resource.userInfoUri:http://example.com",
 				"spring.social.facebook.app-id=foo",
 				"spring.social.facebook.app-secret=bar");
 		this.context = new SpringApplicationBuilder(SocialResourceConfiguration.class)

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/sso/BasicOAuth2SsoConfigurationTests.java

@@ -48,11 +48,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 @RunWith(SpringJUnit4ClassRunner.class)
 @SpringApplicationConfiguration(classes = TestConfiguration.class)
 @WebAppConfiguration
-@TestPropertySource(properties = { "spring.oauth2.client.clientId=client",
-		"spring.oauth2.client.clientSecret=secret",
-		"spring.oauth2.client.authorizationUri=http://example.com/oauth/authorize",
-		"spring.oauth2.client.tokenUri=http://example.com/oauth/token",
-		"spring.oauth2.resource.jwt.keyValue=SSSSHHH" })
+@TestPropertySource(properties = { "security.oauth2.client.clientId=client",
+		"security.oauth2.client.clientSecret=secret",
+		"security.oauth2.client.authorizationUri=http://example.com/oauth/authorize",
+		"security.oauth2.client.tokenUri=http://example.com/oauth/token",
+		"security.oauth2.resource.jwt.keyValue=SSSSHHH" })
 public class BasicOAuth2SsoConfigurationTests {
 
 	@Autowired

spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/sso/CustomOAuth2SsoConfigurationTests.java

@@ -54,11 +54,11 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
 @RunWith(SpringJUnit4ClassRunner.class)
 @SpringApplicationConfiguration(classes = TestConfiguration.class)
 @WebAppConfiguration
-@TestPropertySource(properties = { "spring.oauth2.client.clientId=client",
-		"spring.oauth2.client.clientSecret=secret",
-		"spring.oauth2.client.authorizationUri=http://example.com/oauth/authorize",
-		"spring.oauth2.client.tokenUri=http://example.com/oauth/token",
-		"spring.oauth2.resource.jwt.keyValue=SSSSHHH" })
+@TestPropertySource(properties = { "security.oauth2.client.clientId=client",
+		"security.oauth2.client.clientSecret=secret",
+		"security.oauth2.client.authorizationUri=http://example.com/oauth/authorize",
+		"security.oauth2.client.tokenUri=http://example.com/oauth/token",
+		"security.oauth2.resource.jwt.keyValue=SSSSHHH" })
 public class CustomOAuth2SsoConfigurationTests {
 
 	@Autowired

spring-boot-cli/src/test/java/org/springframework/boot/cli/SampleIntegrationTests.java

@@ -81,9 +81,9 @@ public class SampleIntegrationTests {
 	public void oauth2Sample() throws Exception {
 		String output = this.cli.run("oauth2.groovy");
 		assertTrue("Wrong output: " + output,
-				output.contains("spring.oauth2.client.clientId"));
+				output.contains("security.oauth2.client.clientId"));
 		assertTrue("Wrong output: " + output,
-				output.contains("spring.oauth2.client.secret ="));
+				output.contains("security.oauth2.client.secret ="));
 	}
 
 	@Test

spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc

@@ -271,13 +271,13 @@ content into your application; rather pick only the properties that you need.
 	security.sessions=stateless # always / never / if_required / stateless
 	security.ignored= # Comma-separated list of paths to exclude from the default secured paths
 
-	# OAuth2 client ({sc-spring-boot-autoconfigure}/security/oauth2/OAuth2ClientProperties.{sc-ext}[OAuth2ClientProperties]
-	spring.oauth2.client.client-id= # OAuth2 client id
-    spring.oauth2.client.client-secret= # OAuth2 client secret. A random secret is generated by default
+	# SECURITY OAUTH2 CLIENT ({sc-spring-boot-autoconfigure}/security/oauth2/OAuth2ClientProperties.{sc-ext}[OAuth2ClientProperties]
+	security.oauth2.client.client-id= # OAuth2 client id
+    security.oauth2.client.client-secret= # OAuth2 client secret. A random secret is generated by default
 
-    # OAuth2 SSO ({sc-spring-boot-autoconfigure}/security/oauth2/client/OAuth2SsoProperties.{sc-ext}[OAuth2SsoProperties]
-    spring.oauth2.sso.filter-order= # Filter order to apply if not providing an explicit WebSecurityConfigurerAdapter
-    spring.oauth2.sso.login-path= # Path to the login page, i.e. the one that triggers the redirect to the OAuth2 Authorization Server
+    # SECURITY OAUTH2 SSO ({sc-spring-boot-autoconfigure}/security/oauth2/client/OAuth2SsoProperties.{sc-ext}[OAuth2SsoProperties]
+    security.oauth2.sso.filter-order= # Filter order to apply if not providing an explicit WebSecurityConfigurerAdapter
+    security.oauth2.sso.login-path= # Path to the login page, i.e. the one that triggers the redirect to the OAuth2 Authorization Server
 
 	# DATASOURCE ({sc-spring-boot-autoconfigure}/jdbc/DataSourceAutoConfiguration.{sc-ext}[DataSourceAutoConfiguration] & {sc-spring-boot-autoconfigure}/jdbc/DataSourceProperties.{sc-ext}[DataSourceProperties])
 	spring.datasource.name= # name of the data source

spring-boot-docs/src/main/asciidoc/spring-boot-features.adoc

@@ -1640,8 +1640,8 @@ auto-configuration to make it easy to set up Authorization or Resource Server.
 [[boot-features-security-oauth2-authorization-server]]
 ==== Authorization Server
 To create an Authorization Server and grant access tokens you need to use
-`@EnableAuthorizationServer` and provide `spring.oauth2.client.client-id` and
-`spring.oauth2.client.client-secret]` properties. The client will be registered for you
+`@EnableAuthorizationServer` and provide `security.oauth2.client.client-id` and
+`security.oauth2.client.client-secret]` properties. The client will be registered for you
 in an in-memory repository.
 
 Having done that you will be able to use the client credentials to create an access token,
@@ -1670,21 +1670,21 @@ access tokens. If your appplication is also an Authorization Server it already k
 to decode tokens, so there is nothing else to do. If your app is a standalone service then you
 need to give it some more configuration, one of the following options:
 
-* `spring.oauth2.resource.user-info-uri` to use the `/me` resource (e.g.
+* `security.oauth2.resource.user-info-uri` to use the `/me` resource (e.g.
 `https://uaa.run.pivotal.io/userinfo` on PWS)
 
-* `spring.oauth2.resource.token-info-uri` to use the token decoding endpoint (e.g.
+* `security.oauth2.resource.token-info-uri` to use the token decoding endpoint (e.g.
 `https://uaa.run.pivotal.io/check_token` on PWS).
 
 If you specify both the `user-info-uri` and the `token-info-uri` then you can set a flag
 to say that one is preferred over the other (`prefer-token-info=true` is the default).
 
 Alternatively (instead of `user-info-uri` or `token-info-uri`) if the tokens are JWTs you
-can configure a `spring.oauth2.resource.jwt.key-value` to decode them locally (where the
+can configure a `security.oauth2.resource.jwt.key-value` to decode them locally (where the
 key is a verification key). The verification key value is either a symmetric secret or
 PEM-encoded RSA public key. If you don't have the key and it's public you can provide a
 URI where it can be downloaded (as a JSON object with a "`value`" field) with
-`spring.oauth2.resource.jwt.key-uri`. E.g. on PWS:
+`security.oauth2.resource.jwt.key-uri`. E.g. on PWS:
 
 [indent=0]
 ----
@@ -1692,7 +1692,7 @@ URI where it can be downloaded (as a JSON object with a "`value`" field) with
 	{"alg":"SHA256withRSA","value":"-----BEGIN PUBLIC KEY-----\nMIIBI...\n-----END PUBLIC KEY-----\n"}
 ----
 
-WARNING: If you use the `spring.oauth2.resource.jwt.key-uri` the authorization server
+WARNING: If you use the `security.oauth2.resource.jwt.key-uri` the authorization server
 needs to be running when your application starts up. It will log a warning if it can't
 find the key, and tell you what to do to fix it.
 
@@ -1703,7 +1703,7 @@ find the key, and tell you what to do to fix it.
 Google, and certain other 3rd party identity providers, are more strict about the token
 type name that is sent in the headers to the user info endpoint. The default is "`Bearer`"
 which suits most providers and matches the spec, but if you need to change it you can set
-`spring.oauth2.resource.token-type`.
+`security.oauth2.resource.token-type`.
 
 
 
@@ -1727,13 +1727,14 @@ language feature). Example:
 
 [source,yaml,indent=0]
 ----
-	oauth2:
-		resource:
-			jwt:
-				keyValue: |
-					-----BEGIN PUBLIC KEY-----
-					MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC...
-					-----END PUBLIC KEY-----
+	security:
+		oauth2:
+			resource:
+				jwt:
+					keyValue: |
+						-----BEGIN PUBLIC KEY-----
+						MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC...
+						-----END PUBLIC KEY-----
 ----
 ====
 
@@ -1743,21 +1744,21 @@ language feature). Example:
 ==== Client
 To make your webapp into an OAuth2 client you can simply add `@EnableOAuth2Client` and
 Spring Boot will create an `OAuth2RestTemplate` for you to `@Autowire`. It uses the
-`spring.oauth2.client.*` as credentials (the same as you might be using in the
+`security.oauth2.client.*` as credentials (the same as you might be using in the
 Authorization Server), but in addition it will need to know the authorization and token
 URIs in the Authorization Server. For example:
 
 .application.yml
 [source,yaml,indent=0]
 ----
-spring:
-	oauth2:
-		client:
-			clientId: bd1c0a783ccdd1c9b9e4
-			clientSecret: 1a9030fbca47a5b2c28e92f19050bb77824b5ad1
-			accessTokenUri: https://github.com/login/oauth/access_token
-			userAuthorizationUri: https://github.com/login/oauth/authorize
-			clientAuthenticationScheme: form
+	security:
+		oauth2:
+			client:
+				clientId: bd1c0a783ccdd1c9b9e4
+				clientSecret: 1a9030fbca47a5b2c28e92f19050bb77824b5ad1
+				accessTokenUri: https://github.com/login/oauth/access_token
+				userAuthorizationUri: https://github.com/login/oauth/authorize
+				clientAuthenticationScheme: form
 ----
 
 An application with this configuration will redirect to Github for authorization when you
@@ -1767,21 +1768,21 @@ application is running on port 8080 (register your own client app in Github or o
 provider for more flexibility).
 
 To limit the scope that the client asks for when it obtains an access token you can set
-`spring.oauth2.client.scope` (comma separated or an array in YAML). By default the scope
+`security.oauth2.client.scope` (comma separated or an array in YAML). By default the scope
 is empty and it is up to to Authorization Server to decide what the defaults should be,
 usually depending on the settings in the client registration that it holds.
 
-NOTE: There is also a setting for `spring.oauth2.client.client-authentication-scheme`
+NOTE: There is also a setting for `security.oauth2.client.client-authentication-scheme`
 which defaults to "`header`" (but you might need to set it to "`form`" if, like Github for
 instance, your OAuth2 provider doesn't like header authentication). In fact, the
-`spring.oauth2.client.*` properties are bound to an instance of
+`security.oauth2.client.*` properties are bound to an instance of
 `AuthorizationCodeResourceDetails` so all its properties can be specified.
 
 TIP: In a non-web application you can still `@Autowire` an `OAuth2RestOperations` and it
-is still wired into the `spring.oauth2.client.*` configuration. In this case it is a
+is still wired into the `security.oauth2.client.*` configuration. In this case it is a
 "`client credentials token grant`" you will be asking for if you use it (and there is no
 need to use `@EnableOAuth2Client` or `@EnableOAuth2Sso`). To switch it off, just remove
-the `spring.oauth2.client.client-id` from your configuration (or make it the empty
+the `security.oauth2.client.client-id` from your configuration (or make it the empty
 string).
 
 
@@ -1795,12 +1796,12 @@ for a Single Sign On (SSO) protocol based on OAuth2, and Spring Boot makes it ea
 participate by providing an annotation `@EnableOAuth2Sso`. The Github client above can
 protect all its resources and authenticate using the Github `/user/` endpoint, by adding
 that annotation and declaring where to find the endpoint (in addition to the
-`spring.oauth2.client.*` configuration already listed above):
+`security.oauth2.client.*` configuration already listed above):
 
 .application.yml
 [source,yaml,indent=0]]
 ----
-	spring:
+	security:
 		oauth2:
 	...
 		resource:
@@ -1810,7 +1811,7 @@ that annotation and declaring where to find the endpoint (in addition to the
 
 Since all paths are secure by default, there is no "`home`" page that you can show to
 unauthenticated users and invite them to login (by visiting the `/login` path, or the
-path specified by `spring.oauth2.sso.login-path`).
+path specified by `security.oauth2.sso.login-path`).
 
 To customize the access rules or paths to protect, so you can add a "`home`" page for
 instance, `@EnableOAuth2Sso` can be added to a `WebSecurityConfigurerAdapter` and the

spring-boot-samples/spring-boot-sample-secure-oauth2/src/main/resources/application.properties

@@ -1,8 +1,8 @@
 spring.datasource.platform=h2
-spring.oauth2.client.client-id=foo
-spring.oauth2.client.client-secret=bar
 
 security.user.name=greg
 security.user.password=turnquist
+security.oauth2.client.client-id=foo
+security.oauth2.client.client-secret=bar
 
 logging.level.org.springframework.security=DEBUG

spring-boot-samples/spring-boot-sample-web-secure-github/src/main/resources/application.yml

@@ -1,4 +1,4 @@
-spring:
+security:
   oauth2:
     client:
       clientId: bd1c0a783ccdd1c9b9e4