spring-security
spring-security copied to clipboard
spring-projects
Spring Security
**Expected Behavior** We would like to be able to use DPoP authentication with WebFlux. **Current Behavior** There is no implementation for DPoP authentication for WebFlux. **Context** Feature request: We would...
**Expected Behavior** I want to add support for the `offline_access` scope as described in the [openid-connect rfc](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess). When the `offline_access` scope is requested, then a refresh token is issued. **Current...
As detailed in [RFC 7522](https://datatracker.ietf.org/doc/html/rfc7522). It would be nice for institutions needing to formulate a bridge between SAML 2.0 authentication and OAuth 2.0 authorization.
**Expected Behavior** Support [OpenID Connect Back-Channel Logout. ](https://openid.net/specs/openid-connect-backchannel-1_0.html) If the OpenID Provider supports OpenID Connect Discovery 1.0, it uses this metadata value to advertise its support for back-channel logout: **backchannel_logout_supported**...
`OidcBackChannelLogoutAuthenticationProvider` and related classes are protected final and doesn't accept custom classes because of next phases instanceof control. The main issue is that I'm using Keycloak, and when a back...
This feature will deliver [OpenID Connect Session Management 1.0](https://openid.net/specs/openid-connect-session-1_0.html).
**[OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)** support. Form Post Response Mode (aka `response_mode=form_post`) has a considerably big impact on authorization server implementations. It is recommended that the feature be designed...
**Request Object** defined in [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) [Section 6](https://openid.net/specs/openid-connect-core-1_0.html#JWTRequests) or **JAR** ([JWT Secured Authorization Request](https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/)) support. Because Request Object (or JAR) has a considerably big impact on authorization server...
As per section [3.2.3.1. Error Response](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-3.2.3.1): > "invalid_client": Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401...
In an authorization_code flow, sometimes the access_token we receive from the /token endpoint on node1 is not accepted by the /userinfo endpoint on node2. We are using a distributed cache...
