With the 6.4 release, a new set of OAuth2AccessTokenResponseClient implementations were introduced based on RestClient. These are:
RestClientAuthorizationCodeTokenResponseClientRestClientRefreshTokenTokenResponseClientRestClientClientCredentialsTokenResponseClientRestClientJwtBearerTokenResponseClientRestClientTokenExchangeTokenResponseClient
These implementations are drop-in replacements for the RestOperations-based implementations which have been deprecated. These are:
DefaultAuthorizationCodeTokenResponseClientDefaultRefreshTokenTokenResponseClientDefaultClientCredentialsTokenResponseClientDefaultPasswordTokenResponseClientDefaultJwtBearerTokenResponseClientDefaultTokenExchangeTokenResponseClient
Note that the DefaultPasswordTokenResponseClient does not have a replacement, as it is deprecated for removal for separate reasons (it should not be used according to RFC 9700).
The following checklist should be used to help validate removal:
- [ ] Remove
Default*deprecated classes above and replace usages in the framework with theRestClient* - [ ] Remove
AbstractOAuth2AuthorizationGrantRequestEntityConverterand all deprecated subclasses and their usages - [ ]
ClientAuthenticationMethodValidatingRequestEntityConvertershould also be removed - [ ] All related tests; Note that tests in spring-security-config should remain mostly unchanged, though some may need to be updated to customize
RestClientinstead ofRestTemplate
Related gh-15298
Comment From: MammosGeorgios
Hi! Could I give this a try?
If i understand correctly, we want to replace any usages of Default* with RestClient*, like the following change
~~DefaultPasswordTokenResponseClient seems to be used only in Deprecated methods, so I assume that we leave those as they are.~~
Edit: If we are deleting all Default* classes, then the previous sentence makes as we want to remove those Deprecated methods.
Comment From: sjohnr
Hi @MammosGeorgios. I'm mainly filing this issue now so we have it on the radar in time to begin the cycle on 7.0.x in May or June (whenever we switch over to 7.x development). So this issue isn't quite ready to be worked yet. If you want to check in a few weeks after the GA release of 6.5.0 that would be great!
Please note, I've edited the issue to be clearer about the fact that all associated deprecated classes should also be removed.
Comment From: MammosGeorgios
Hello @sjohnr. I will check in periodically and keep an eye out for when you start the development of 7.x Been meaning to give open source a proper try for some time now, and this seems like a relative simple issue to get started.
In the meantime, I will check out if there's something else I could perhaps try.
Comment From: sjohnr
Sounds good @MammosGeorgios. You can also check status: ideal-for-contribution label and reach out on an issue you find there.
Comment From: gdufrene
How to implements client_secret_jwt and private_key_jwt with those new classes ? AbstractRestClientOAuth2AccessTokenResponseClient restrict usage of none, client_secret_basic or client_secret_post. And it's not easy to override the check because requestEntityConverter is private and connot be set.
Documentation suggest to use DefaultClientCredentialsTokenResponseClient and override the request converter ...
Comment From: sjohnr
@gdufrene thanks for pointing that out. I have neglected to update that section of the documentation. I have opened gh-16925 to address this.
In the meantime, see Customizing Request Headers and Customizing Request Parameters for the client credentials grant.
TL;DR You can use the same methods for customizing directly on RestClientClientCredentialsTokenResponseClient that you previously used for OAuth2ClientCredentialsGrantRequestEntityConverter.
Comment From: gdufrene
@sjohnr thanks for your reply and documentation update ! It will help us :)