spring-security
spring-security copied to clipboard
spring-projects
Spring Security
**Describe the bug** Hi team ❤ , I'm trying to set the `SecurityContextRepository` configured by the `oauth2Login()` DSL and it fails with: ``` Caused by: java.lang.NullPointerException: Cannot invoke "org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.setSecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository)" because...
OidcIdTokenDecoderFactory caching of ClientRegistration fails to decode tokens if clientId changes
**Describe the bug** OidcIdTokenDecoderFactory caches JwtDecoder instances on ClientRegistration.getRegistrationId(). The cached instance holds a reference to the ClientRegistration. If a new ClientRegistration is created with a different clientId but the...
The following classes are deprecated in Spring Security 6.4+. - [DefaultAuthorizationCodeTokenResponseClient](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/client/endpoint/DefaultAuthorizationCodeTokenResponseClient.html) - [DefaultRefreshTokenTokenResponseClient](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/client/endpoint/DefaultRefreshTokenTokenResponseClient.html) - [DefaultClientCredentialsTokenResponseClient](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/client/endpoint/DefaultClientCredentialsTokenResponseClient.html) - [DefaultJwtBearerTokenResponseClient](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/client/endpoint/DefaultJwtBearerTokenResponseClient.html) - [DefaultTokenExchangeTokenResponseClient](https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/client/endpoint/DefaultTokenExchangeTokenResponseClient.html) The docs at [Spring Security OAuth2](https://docs.spring.io/spring-security/reference/servlet/oauth2/index.html) should be changed to refer...
**Description** It is currently possible to create a `NimbusJwtEncoder` using an `ImmutableJWKSet` that contains an Ed25519 key (via `OctetKeyPair`), but it is not possible to use that encoder to generate...
Currently, OAuth2 client registration requires a redirect URI, and omitting it throws an exception during application startup. However, in most cases, users would use the standard pattern `{baseUrl}/login/oauth2/code/{registrationId}`. Closes gh-16377...
gh-17131 Make X509CertificateThumbprintValidator to be public and non-final class With the current `package` visibility and `final` class, it is not usable with `JwtValidators#createDefaultWithValidators`. `JwtValidators#createDefaultWithValidators` is following, as of v6.4.6: ```java...
When OAuth2 login is enabled, remember-me parameter (ie when it's not set to always remember) will not be honored, because the original request (to `/oauth2/authorization/`) is different from the actual...
**Expected Behavior** OIDC backchannel logout should be configured easily using XML security configuration by Spring namespaces (if possible without the "Spring reactive stack") same way as it is supported by...
**Expected Behavior** when this is used: ```java @Bean SecurityFilterChain configure(HttpSecurity http, AuthorizationManager authz) throws Exception { http.oauth2ResourceServer(c -> c.jwt(Customizer.withDefaults())); ``` and a invalid JWT is used to access any Rest...
**Expected Behavior** As I understand `AuthenticationManager` is meant to be the main entity to manage core authentication process, i.e. to provide an `Authentication` object. I would expect that in particular,...
