spring-security
spring-security copied to clipboard
spring-projects
Spring Security
Also, an unused argument was removed from `JdbcUserDetailsManager#createNewAuthentication` that was not used and would break the build of the current change. Closes: gh-18257
**Description:** When customized Authentication with some additional fields is used along with spring-session-jdbc and implicit session saving, then if one of the field of that Authentication was updated, SecurityContext is...
**Expected Behavior** There is a new IETF specification for [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/) which has already been approved by the IESG and will be...
**Expected Behavior** Similar to [OAuth2ClientCredentialsAuthenticationValidator](https://docs.spring.io/spring-authorization-server/docs/current/api/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationValidator.html) there should be a validator for Refresh token grant **Current Behavior** Currently there is no support for validating the request parameters for the RefreshToken grant....
Spin off of https://github.com/spring-projects/spring-authorization-server/issues/1454 **Expected Behavior** As discussed in spring-projects/spring-authorization-server#1454, there is no clean way to disable the endpoints (including removing the filters, etc) we don't want. In our case,...
**Expected Behavior** According to [A comprehensive formal security analysis of OAuth 2.0](https://blog.acolyer.org/2016/11/07/a-comprehensive-formal-security-analysis-of-oauth-2-0/). 303 redirect should be used to drop the body of an HTTP POST request. **Current Behavior** DefaultRedirectStrategy in...
Currently the methods in `org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2EndpointUtils` are all package private, and your provided `AuthenticationConverters` make good use of them. So when creating a custom AuthenticationConverter if I want to get the...
**Expected Behavior** The `AbstractRestClientOAuth2AccessTokenResponseClient` class contains five different properties in its internal state: - `restClient` - `requestEntityConverter` - `headersConverter` - `parametersConverter` - `parametersCustomizer` I expect it would be possible to...
In general, OAuth2 Clients can be configured with special settings in an OAuth2 Authorization Provider. One such option is PKCE, which Spring Security supports as a client setting thanks to...
The _[Updates to OAuth 2.0 JSON Web Token (JWT) Client Authentication and Assertion-Based Authorization Grants](https://datatracker.ietf.org/doc/draft-ietf-oauth-rfc7523bis/)_ (RFC7523bis) updated the recommendations for "audience values in OAuth 2.0 Client Assertion Authentication and Assertion-based...