NOTE: This is a ticket that the Spring Security team is reviewing for inclusion. It's not considered ready to implement yet. When it is, this disclaimer will be removed and the title may change

LdapAuthenticationProvider, JaasAuthenticationProvider, and DaoAuthenticationProvider all issue FACTOR_PASSWORD as their factory authority.

This makes sense since that is the kind of credential that was used (a username and password), and this is typically what will be important when deciding level of authority.

There may be value, though, in specifically differentiating the type of authentication that was performed, and this information is available neither in the authority nor in the authentication type.

One way to address this would be to resolve authorities hierarchically, as is already done with roles. For example, LdapAuthenticationProvider could issue FACTOR_PASSWORD_LDAP, JaasAuthenticationProvider could issue FACTOR_PASSWORD_JAAS, and so on. Each of these would imply FACTOR_PASSWORD, allowing authorization rules to focus on the credential type.

Some places where this might be helpful are when similar credentials have differing security profiles. An example of this is with Bearer and DPoP tokens. For some requests, it may be valuable to indicate they require elevated security:

@EnableGlobalMultifactorAuthentication(authorities = { FACTOR_X509_AUTHORITY, FACTOR_BEARER_AUTHORITY })

// ...

@Bean
ThrowingCustomizer<HttpSecurity> sensitiveEndpoints() {
    return (http) -> http
        .authorizeHttpRequests((authorize) -> authorize
            .requestMatchers("/sensitive/endpoints/**").hasAuthority("FACTOR_BEARER_DPOP")
            .anyRequest().authenticated()
        );
}

Another example may be considering the subsystem that the user is registered in:

@Bean
ThrowingCustomizer<HttpSecurity> sensitiveEndpoints() {
    return (http) -> http
        .authorizeHttpRequests((authorize) -> authorize
            .requestMatchers("/appone/**").hasAuthority("FACTOR_PASSWORD_LDAP") 
            .anyRequest().authenticated()
        );
}

That is, only the users that are registered in LDAP may use this part of the application.