1479 Commits

Author	SHA1	Message	Date
Joe Grandja	098574c50e	Remove redundant classes ... Issue gh-17880	2025-09-12 16:20:43 -04:00
Joe Grandja	cc71be71e5	Move OAuth2AuthorizationServerConfigurer and OAuth2AuthorizationServerConfiguration ... Issue gh-17880	2025-09-12 16:20:42 -04:00
Joe Grandja	b5a4cdc9eb	Polish OAuth2AuthorizationServerJackson2Module ... Issue gh-17880	2025-09-12 16:20:41 -04:00
Joe Grandja	592510c725	Update to @since 7.0 ... Issue gh-17880	2025-09-12 16:20:41 -04:00
Joe Grandja	e5dc46270a	Fix checkstyle ... Issue gh-17880	2025-09-12 16:20:39 -04:00
Joe Grandja	6484d1ae25	Update copyright headers to 2004-present ... The Spring portfolio is changing to use <inception-year>-present in the copyright headers to simplify keeping headers up to date. This commit updates the copyright headers. The copyright headers were updated using the following find/replace: Find: (Copyright \d{4})\s*(\-\d{4})? the original author or authors. Replace: Copyright 2004-present the original author or authors. Issue gh-17880	2025-09-12 16:20:39 -04:00
Joe Grandja	a620113264	Add test dependencies ... Issue gh-17880	2025-09-12 16:20:38 -04:00
Joe Grandja	1ff1d88866	Manual move of spring-projects/spring-authorization-server src/test ... Issue gh-17880	2025-09-12 16:20:38 -04:00
Joe Grandja	072f413dd7	Update copyright headers to 2004-present ... The Spring portfolio is changing to use <inception-year>-present in the copyright headers to simplify keeping headers up to date. This commit updates the copyright headers. The copyright headers were updated using the following find/replace: Find: (Copyright \d{4})\s*(\-\d{4})? the original author or authors. Replace: Copyright 2004-present the original author or authors. Issue gh-17880	2025-09-12 16:20:37 -04:00
Joe Grandja	327996c964	Add spring-security-oauth2-authorization-server.gradle ... Issue gh-17880	2025-09-12 16:20:36 -04:00
Joe Grandja	745e2153ed	Manual move of spring-projects/spring-authorization-server src/main ... Issue gh-17880	2025-09-12 16:20:36 -04:00
Rob Winch	093e930c32	Merge branch '6.5.x'	2025-09-10 12:00:31 -05:00
Rob Winch	ab634d1099	Merge branch '6.4.x' into 6.5.x	2025-09-10 11:58:55 -05:00
Rob Winch	a79a2b031a	Remove MockWebServer from JwtIssuerAuthenticationManagerResolverTests ... This prevents timeouts on GitHub Windows runners due to overtaxed systems. Closes gh-17869	2025-09-10 11:56:07 -05:00
Josh Cummings	ed344ece70	Use Fixed Clock ... This commit stabilizes time-sensitive tests that verify the behavior of DPoP iat validation. Issue gh-14915	2025-09-09 16:22:07 -06:00
Josh Cummings	69ee8d9aec	Polish OAuth 2.0 Authentication Builders ... Issue gh-17861	2025-09-09 14:59:14 -06:00
Josh Cummings	dd50dc0c40	Remove Generic Typing From Authentication.Builder ... It would be better to introduce parameter types for principal and credentials into Authentication.Builder at the same time as doing so for Authentication Issue gh-17861	2025-09-09 14:49:13 -06:00
Josh Cummings	a0fe6a5fee	Polish Builders ... - Added remaining properties - Removed apply method since Spring Security isn't using it right now - Made builders extensible since the authentications are extensible Issue gh-17861	2025-09-09 14:49:13 -06:00
Josh Cummings	a201a2b862	Add Authentication.Builder ... This commit adds a new default method to Authentication for the purposes of creating a Builder based on the current authentication, allowing other authentications to be applied to it as a composite. It also adds Builders for each one of the authentication result classes. Issue gh-17861	2025-09-09 14:49:13 -06:00
Josh Cummings	c64b086878	Add SecurityAssertions ... This commit introduces a simple, internal test API for verifying aspects of an Authentication, like its name and authorities. Closes gh-17844	2025-09-03 17:53:42 -06:00
Fridolin Jackstadt	910df479be	Provider Default Timeouts For JWK Retrieval ... Issue gh-14269 Signed-off-by: Fridolin Jackstadt <fridolin.jackstadt@unic.com>	2025-09-02 08:51:10 -06:00
Andrey Litvitski	3278f3a410	Add discoverJwsAlgorithms() in NimbusJwtDecoder ... Closes: gh-17785 Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>	2025-08-26 17:07:47 -06:00
chanbinme	08fa272749	Remove authoritiesClaimName Field ... This commit simplfies the logic in JwtGrantedAuthoritiesConverter to no longer need the authoritiesClaimName field. Signed-off-by: chanbinme <gksmfcksqls@gmail.com>	2025-08-13 10:57:15 -06:00
Josh Cummings	eeb383ac46	Fix Checkstyle ... Issue gh-17623	2025-08-07 14:32:18 -06:00
Josh Cummings	6d1a886f92	Deprecate SERIAL_VERSION_UID ... Closes gh-17623	2025-08-07 11:09:35 -06:00
Rob Winch	f6cb0bd610	Merge Use 2004-present Copyright Header ... The original merge into main did not apply the changes. This fixes it. Closes gh-17635	2025-07-29 10:52:42 -05:00
Rob Winch	2fdca16c1a	Merge branch '6.4.x' into 6.5.x ... Closes gh-17634	2025-07-29 09:47:52 -05:00
Rob Winch	392129b616	Use 2004-present Copyright Header ... The Spring portfolio is changing to use <inception-year>-present in the copyright headers to simplify keeping headers up to date. This commit updates the headers and the checkstyle accordingly. The commit updated etc/checkstyle/header.txt It also updated the copyright headers using the following find/replace: Find: (Copyright \d{4})\s*(\-\d{4})? the original author or authors. Replace: Copyright 2004-present the original author or authors. Closes gh-17633	2025-07-29 09:45:23 -05:00
Rob Winch	bf877a9864	Add OAuth2User to OidcUser Conversion Params ... Previously the Oidc(Reactive)OAuth2UserService APIs allowed a strategy for converting to the OidcUser with the OidcUserRequest and OidcUserInfo. The input should also include the OAuth2User to make it simple to use the OAuth2User as a part of the conversion. This commit introduces OidcUserSource as a POJO containing OidcUserRequest, OidcUserInfo, and OAuth2User. It then updates the OidcUser conversion strategy in OidcUserService and OidcReactiveOAuth2UserService to accept OidcUserSource as the source for the Converter used to create OidUser. Closes gh-17626	2025-07-25 09:09:24 -05:00
Joe Grandja	b8796d84b7	Fix tests in ClientRegistrationsTests ... Issue gh-17542	2025-07-17 09:52:55 -04:00
Josh Cummings	571b6fe4a8	Fix Formatting ... Issue gh-16858	2025-07-09 14:05:41 -06:00
Josh Cummings	9dea1c2eb5	Update to Latest HttpRequestValues Contract ... Issue gh-16858	2025-07-09 13:47:06 -06:00
Tran Ngoc Nhan	6dc77bd98b	Update JwtIssuerAuthenticationManagerResolver constructor javadoc ... Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>	2025-07-07 11:37:52 -06:00
Tran Ngoc Nhan	21036c94b4	Remove Nimbus(Reactive)OpaqueTokenIntrospector ... Closes gh-17302 Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>	2025-07-03 15:41:57 -06:00
Josh Cummings	919ae1d636	Use PathPatternRequestMatcher in oauth2 ... Issue gh-16887	2025-07-03 13:37:49 -06:00
Josh Cummings	98686a5139	Standardize Mock Request Paths ... Closes gh-17449	2025-07-03 13:37:47 -06:00
Soumik Sarker	06bd81b1da	Removed deprecated class BearerTokenAuthenticationFilter ... Closes gh-17309 Signed-off-by: Soumik Sarker <ronodhirsoumik@gmail.com>	2025-07-03 12:44:06 -06:00
Soumik Sarker	526f8a6200	Removed deprecated class BearerTokenAuthenticationToken ... Issue gh-17309 Signed-off-by: Soumik Sarker <ronodhirsoumik@gmail.com>	2025-07-03 12:44:06 -06:00
Joe Grandja	e869bcdfa3	Remove deprecated implementations of OAuth2AccessTokenResponseClient ... Closes gh-16909	2025-07-03 14:23:23 -04:00
Joe Grandja	cfe38957d7	Remove Resource Owner Password Credentials grant ... Closes gh-17446	2025-07-03 14:23:23 -04:00
Rob Winch	e37424c637	Fix cycle in DefaultOAuth2AuthorizationRequestResolver ... DefaultOAuth2AuthorizationRequestResolver should not depend on OAuth2AuthorizationRequestRedirectFilter because OAuth2AuthorizationRequestRedirectFilter already depends on DefaultOAuth2AuthorizationRequestResolver. OAuth2AuthorizationRequestRedirectFilter also takes advantage of the new constructor that defaults the base uri. Polishes gh-16384	2025-06-27 15:49:28 -05:00
DingHao	7587048f95	Add default authorizationRequestBaseUri to DefaultOAuth2AuthorizationRequestResolver ... Closes gh-16383 Signed-off-by: DingHao <dh.hiekn@gmail.com>	2025-06-27 15:49:28 -05:00
Tran Ngoc Nhan	a74ce06dae	Remove JwtIssuer(Reactive)AuthenticationManagerResolver deprecations ... Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>	2025-06-24 12:33:00 -06:00
Josh Cummings	676b44ebb0	Polish NimbusJwtEncoder Builders ... - Simplify withKeyPair methods to match withPublicKey convention in NimbusJwtDecoder - Update tests to confirm support of other algorithms - Update constructor to apply additional JWK properties to the default header - Deduce the possibly algorithms for a given key based on curve and key size - Remove algorithm method from EC builder since the algorithm is determined by the Curve of the EC Key Issue gh-16267 Co-Authored-By: Suraj Bhadrike <surajbh2233@gmail.com>	2025-06-17 16:47:39 -06:00
Suraj Bhadrike	ee09215f89	Add NimbusJwtEncoder Builders ... Closes gh-16267 Signed-off-by: Suraj Bhadrike <surajbh2233@gmail.com>	2025-06-17 16:47:39 -06:00
Rob Winch	18010f9914	Fix JwtAuthenticationProvider Checkstyle ... Issue gh-17251	2025-06-17 13:32:43 -05:00
chanbinme	9cf5638914	Add null check for authentication token in JwtAuthenticationProvider ... Add Assert.notNull validation to ensure the authentication token returned by jwtAuthenticationConverter is not null, preventing potential NullPointerException in subsequent operations. Signed-off-by: chanbinme <gksmfcksqls@gmail.com>	2025-06-17 13:32:43 -05:00
Rob Winch	b2325e4176	Add OAuth Support for HTTP Interface Client ... Closes gh-16858	2025-06-17 09:53:51 -05:00
Josh Cummings	eaab42a73c	Polish BearerTokenAuthenticationConverter Support ... - Moved to BearerTokenAuthenticationFilter constructor to align with AuthenticationFilter - Undeprecated BearerTokenResolver to reduce number of migration scenarios - Updated to 7.0 schema - Added migration docs Issue gh-14750	2025-06-04 18:17:17 -06:00
Max Batischev	30577bd291	Add Additional Tests To BearerTokenAuthenticationFilterTests ... Issue gh-14750 Signed-off-by: Max Batischev <mblancer@mail.ru>	2025-06-04 18:17:17 -06:00
Max Batischev	4967f3feee	Add Support BearerTokenAuthenticationConverter ... Closes gh-14750 Signed-off-by: Max Batischev <mblancer@mail.ru>	2025-06-04 18:17:17 -06:00
Josh Cummings	d52e0b6a05	Polish NimbusJwtDecoder ... - Aligned JwkSourceJwtDecoderBuilder's relative position with its corresponding static factory - Added @since to JwkSourceJwtDecoderBuilder PR gh-17046	2025-06-02 15:53:59 -06:00
Mark Bonnekessel	ada75e76a6	Add builder to create NimbusJwtDecoder with JwkSource ... Signed-off-by: Mark Bonnekessel <2949525+marbon87@users.noreply.github.com>	2025-06-02 13:33:39 -06:00
Pat McCusker	5517d8fe3a	Deprecate the X5T JOSE Header name ... Closes gh-16979 Signed-off-by: Pat McCusker <patmccusker14@gmail.com>	2025-05-30 06:45:02 -06:00
Josh Cummings	6d3b54df21	Change Type Validation Default ... NimbusJwtDecoder and NimbusReactiveJwtDecoder now use Spring Security's JwtTypeValidator by default instead of Nimbus's type validator. Closes gh-17181	2025-05-28 16:11:13 -06:00
Maximilian Klose	ec05e65668	Add Equals and HashCode methods for better comparison. ... Closes gh-16394 Signed-off-by: Maximilian Klose <maximilian.klose@adesso.de>	2025-05-27 13:53:07 -06:00
Ferenc Kemeny	bf05b8b430	Support Requiring exp and nbf in JwtTimestampsValidator ... Closes gh-17004 Signed-off-by: Ferenc Kemeny <ferenc.kemeny79+oss@gmail.com>	2025-05-27 12:22:25 -06:00
Ferenc Kemeny	91b21663db	Polish JwtTimestampValidatorTests ... This commit corrects the test that checks for both nbf and exp missing. It also adds one for just exp and on for just nbf. Issue gh-17004 Signed-off-by: Ferenc Kemeny <ferenc.kemeny79+oss@gmail.com>	2025-05-27 12:22:25 -06:00
Joe Grandja	a8edcca961	Merge branch '6.5.x'	2025-05-14 05:36:04 -04:00
Joe Grandja	5f7155bfc7	Implement internal cache in JtiClaimValidator ... Closes gh-17107	2025-05-14 05:21:00 -04:00
Joe Grandja	44303d2c80	Polish gh-17080	2025-05-13 14:36:44 -04:00
David Kowis	462e38c0e3	Fix DPoP jkt claim to be JWK SHA-256 thumbprint ... Just used the nimbus JOSE library to do it, because it already has a compliant implementation. Closes gh-17080 Signed-off-by: David Kowis <david@kow.is>	2025-05-13 14:36:44 -04:00
Joe Grandja	a265ac6ae7	Polish gh-17080	2025-05-13 14:35:23 -04:00
David Kowis	2090f44f74	Fix DPoP jkt claim to be JWK SHA-256 thumbprint ... Just used the nimbus JOSE library to do it, because it already has a compliant implementation. Closes gh-17080 Signed-off-by: David Kowis <david@kow.is>	2025-05-13 14:35:23 -04:00
Joe Grandja	ba7be9c8b9	Merge branch '6.5.x'	2025-05-09 16:14:34 -04:00
Joe Grandja	e3c39f02bc	Add documentation for DPoP support ... Closes gh-17072	2025-05-09 16:02:14 -04:00
Tran Ngoc Nhan	48eb243012	Update javadoc ... Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>	2025-05-07 14:59:14 -05:00
Tran Ngoc Nhan	1e4dd713c5	Remove APPLICATION_JSON_UTF8 usage ... Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>	2025-05-07 14:59:14 -05:00
Rob Winch	b453840c0a	HttpHeaders no longer a MultiValueMap ... Closes gh-17060	2025-05-06 13:27:13 -05:00
Rob Winch	2dbf3a2d18	WebClient.exchange->exchangeToMono ... Closes gh-17057	2025-05-06 13:26:16 -05:00
Rob Winch	5704582c52	ResponseErrorHandler.handleError(URI, HttpMethod,ClientHttpResponse) ... Closes gh-17056	2025-05-06 13:26:16 -05:00
Rob Winch	11105a5c51	UriComponentsBuilder.fromHttpUrl->fromUriString ... The fromHttpUrl method is deprecated and replaced with fromUriString Closes gh-	2025-05-06 13:26:15 -05:00
Rob Winch	cb0fdef236	Remove MediaType.APPLICATION_JSON_UTF ... Closes gh-17050	2025-05-06 13:26:14 -05:00
hammadirshad	1a4602c8c3	Add mapping for DPoP in DefaultMapOAuth2AccessTokenResponseConverter ... Closes gh-16806 Signed-off-by: muha <muha@kreftregisteret.no>	2025-04-30 10:09:41 -04:00
Josh Cummings	804d79d96a	Merge branch '6.4.x'	2025-04-29 14:27:47 -06:00
Josh Cummings	a4126aa27d	Merge branch '6.3.x' into 6.4.x	2025-04-29 14:27:40 -06:00
Josh Cummings	f631a0fcd5	Polish ClientRegistrationsTests ... Simplified the assertion so that it is focused on the core behavior being verified. This will likely also make the test more stable when updating Spring Framework versions. Issue gh-16860	2025-04-29 14:27:04 -06:00
Josh Cummings	fe6ddd0c8f	Merge branch '6.4.x'	2025-04-29 14:26:44 -06:00
Josh Cummings	656ad72608	Merge branch '6.3.x' into 6.4.x ... Closes gh-17016	2025-04-29 14:22:52 -06:00
Evgeniy Cheban	0e84f31a00	Add ClientRegistration's RestClient failed attempts information to exception message ... Closes gh-16860 Signed-off-by: Evgeniy Cheban <mister.cheban@gmail.com>	2025-04-29 13:43:20 -06:00
Josh Cummings	eecd7d9559	Update Deprecated Reactor Usage	2025-04-23 12:11:08 -06:00
Josh Cummings	834370d8eb	Update Deprecated Spring Web Usage	2025-04-23 11:29:19 -06:00
Joe Grandja	19090e7873	Add request_uri in OAuth2ParameterNames ... Closes gh-16947	2025-04-16 10:23:10 -04:00
Joe Grandja	791feee355	Prevent downgraded usage of DPoP-bound access tokens ... Issue gh-16574 Closes gh-16937	2025-04-14 15:54:41 -04:00
Joe Grandja	1ca33cae70	Make DPoP IatClaimValidator public to allow configuring clock and clockSkew ... Issue gh-16574 Closes gh-16921	2025-04-10 16:04:37 -04:00
Risto Virtanen	47e1fc045f	Formatted ... Signed-off-by: Risto Virtanen <818702+mapsu@users.noreply.github.com>	2025-04-09 17:09:54 -06:00
Risto Virtanen	1db557e395	Replace ClientRegistrationMixinTests with StdConvertersTest ... Signed-off-by: Risto Virtanen <818702+mapsu@users.noreply.github.com>	2025-04-09 17:09:54 -06:00
Risto Virtanen	368fe2e7a0	Add missing ClientAuthenticationMethods to jackson2 converter ... Closes gh-16825 Signed-off-by: Risto Virtanen <818702+mapsu@users.noreply.github.com>	2025-04-09 17:09:54 -06:00
Steve Riesenberg	9d442c13de	Mark password grant for removal ... This commit also updates link to the document "Best Current Practice for OAuth 2.0 Security" to point to RFC 9700. Closes gh-16913	2025-04-09 11:15:09 -05:00
Steve Riesenberg	197ee38aa0	Mark deprecated response clients for removal ... Issue gh-16913	2025-04-09 11:15:06 -05:00
Tran Ngoc Nhan	d864e51ff6	Format OpaqueTokenIntrospector ... Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>	2025-04-08 13:56:54 -05:00
Tran Ngoc Nhan	d899bc5240	Polish javadoc ... Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>	2025-04-08 13:56:54 -05:00
Steve Riesenberg	1fb3fc80f9	Polish gh-15819 ... Closes gh-15818	2025-04-07 10:57:49 -05:00
Jonah Klöckner	9674532f4d	Add support for access token in body parameter as per rfc 6750 Sec. 2.2 ... Issue gh-15818	2025-04-07 10:57:49 -05:00
Steve Riesenberg	03e090c2d7	Merge branch '6.4.x' ... Closes gh-16902	2025-04-07 10:57:12 -05:00
Steve Riesenberg	db34de59bc	Merge branch '6.3.x' into 6.4.x ... Closes gh-16901	2025-04-07 10:55:51 -05:00
Steve Riesenberg	3c0fef59b5	Polish gh-16039 ... Closes gh-16038	2025-04-07 10:54:09 -05:00
Jonah Klöckner	da94fbe431	Evaluate URI query parameter only if enabled ... Issue gh-16038	2025-04-07 10:54:07 -05:00
Josh Cummings	2885b0f75f	Add valueOf ... This commit adds a static factory for returning a constant ClientAuthenticationMethod or creating a new one when there is no match. Issue gh-16825	2025-04-02 11:16:30 -06:00
Tran Ngoc Nhan	7bca17cb5a	Polish ... Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>	2025-03-26 17:02:06 -06:00