Lucian H

https://github.com/symposion/spring-test (The master branch) I've created an immutable @ConfigurationProperties class that I have no intention of mutating, I'm not explicitly refreshsing /rebinding anything, and the app fails to startup because...

Yeah, so I think to do this nicely you probably would want isSet methods and then have the toImmutable method use those to ignore properties that weren't set explicitly when...

@jgrandja You've closed my ticket [#1873](https://github.com/spring-projects/spring-authorization-server/issues/1873) as a duplicate of this one, but this ticket is a low-priority enhancement. I'd like to argue that the current behaviour is a bug...

@jgrandja I'd be happy to have a stab at implementing this, it doesn't seem especially complicated. Before I do, I'd like to understand why this behaviour was changed from the...

> To be clear, the `WWW-Authenticate` response header should only be returned when the `client_secret_basic` authentication method is used. I remain concerned that this isn't correct. Regardless of what the...

> > If there are other client authentication methods, other than `client_secret_basic`, that require the `WWW-Authenticate` response header, then please provide a reference to the spec so I can review...

@jgrandja I guess where I'm not quite on the same page yet is that I don't see the OAuth2 spec contradicting anything in the HTTP spec. The only thing the...

As concerns the response in the case of invalid alternative authentication methods: ok fine; I'm still not entirely convinced this is the intention of the specs, but you're the maintainer...

I'd also like to add that this is a behaviour change vs the old authorization server config in previous versions of Spring Security. I understand that Spring Authorization Server is...

@jgrandja Unfortunately this is not entirely under our control. We provide a large online service with many APIs, and we have customers that integrate with those. For our own work,...