Hello @jgrandja and thank you for this great resource. I have been following it carefully the last couple of days and everything is working well.

First off, let me apologize if this is the wrong place for questions. Please close this and forget about it. I appreciate you must be busy.

On my slow network I am often getting connection timeouts when trying to retrieve the token during a client-credentials grant (e.g. from https://authserver/protocol/openid-connect/token). It does work if I simply refresh the page a few times, but obviously I'd like to do better. I'm wondering how I can configure the token retrieval timeout.

I would post my code, but it is basically identical to what you have for https://github.com/jgrandja/spring-security-oauth-5-2-migrate/blob/master/client-app/src/main/java/org/springframework/security/oauth/samples/web/AuthorizationController.java#L56.

(Incidentally, I found this issue from 2017 that you commented on, spring-projects/spring-security#4474 (comment), and it sounds like a similar issue: "This error is happening during the Access Token Request call in NimbusAuthorizationCodeTokenExchanger..." You propose a new feature, the HttpClientConfig, but later discard it after some discussion with other devs.)

For the reason of company's open source policy. In this december, I can't use spring security 5.2.X. If use spring security 5.1.X, can I migrate?

Is it possible to configure Spring Boot to authenticate users using the OAuth2 Resource Owner Password Grant?
This question was raised also in StackOverflow

The password grant implemented in this repository is very similar, but only works with a HTTP Client to make requests to another service. The client is setup trough an endpoint ("/authorize", params = "grant_type=password") and it is preserved in the session.

Is it possible to do something similar, but to provide authentication for its own applicaton?

Hi, our team is clearing our tech debt in Spring Security and realized that Spring Security OAuth2 component is being deprecated and replaced as a part of Spring Security 5.2 or higher.

I am currently working on replacing the deprecated APIs with the newly introduced ones in Spring Security 5.3.3 and am stuck on replacing AuthorizationServerConfigurerAdapter. Tried finding a good example or the equivalent behaviors in WebSecurityConfigurerAdapter but couldn't quite get a good luck.

I was wondering if there is any good references to replace the deprecated APIs with the new ones or not. What I am interested in are the following interfaces:

TokenStore
TokenEnhancer
TokenConverter

I would be grateful if you could give me any good advices or directions.

Thanks.

Regards,
Younghwan Jang

//////////////////////////////////////////////

SecurityConfig.java

/**

• @author Joe Grandja
  */
  @EnableWebSecurity
  public class SecurityConfig extends WebSecurityConfigurerAdapter {

  // @Formatter:off
  @OverRide
  public void configure(WebSecurity web) {
  web.ignoring().antMatchers("/authorize/**");

  }
  // @Formatter:on

  // @Formatter:off
  @OverRide
  protected void configure(HttpSecurity http) throws Exception {
  http.authorizeRequests().antMatchers("/", "/index.html", "/sign-in-widget-config").permitAll()
  .antMatchers("/authorize").permitAll().antMatchers(HttpMethod.GET, "/authorize").permitAll().and()
  .oauth2Client();
  }
  // @Formatter:on

  // @Formatter:off
  @bean
  public UserDetailsService users() {
  UserDetails user = User.withDefaultPasswordEncoder().username("user1").password("password").roles("USER")
  .build();
  return new InMemoryUserDetailsManager(user);
  }
  // @Formatter:on
  }

////////////////// application.yml ////////////////////

security:
oauth2:
client:
registration:
ping-federate:
provider: ***********
client-id: im_oic_client
client-name: ***********
client-secret: 37dH9j3f8yhYnOE53ak1z1UxMnfU0h7BT7qI556wpe0Jajz7WGQRQEq4DD2F5coz
authorization-grant-type: implicit
redirect-uri: http://127.0.0.1:8080/authorize
scope: email,phone,profile

//////////////////////////////////////

///////////////////////////// authorization controller ////////////////////////////////////

/*

• Copyright 2012-2019 the original author or authors.
• Licensed under the Apache License, Version 2.0 (the "License");
• you may not use this file except in compliance with the License.
• You may obtain a copy of the License at

•  http://www.apache.org/licenses/LICENSE-2.0
  

• Unless required by applicable law or agreed to in writing, software
• distributed under the License is distributed on an "AS IS" BASIS,
• WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
• See the License for the specific language governing permissions and
• limitations under the License.
  */

import static org.springframework.security.oauth2.client.web.reactive.function.client.ServletOAuth2AuthorizedClientExchangeFilterFunction.clientRegistrationId;

import java.util.Arrays;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.reactive.function.client.WebClient;

/**

• @author Joe Grandja
  */
  @controller
  public class AuthorizationController {

  @value("${messages.base-uri}")
  private String messagesBaseUri;

  @Autowired
  private WebClient webClient;

  @GetMapping(value = "/authorize")
  public String authorization_code_grant(Model model) {
  System.out.println("I AM HERE");
  String[] messages = retrieveMessages("messaging-client-auth-code");
  Arrays.asList(messages).forEach(p -> System.out.println(p));
  model.addAttribute("messages", messages);
  return "index";
  }

// @GetMapping("/authorized") // registered redirect_uri for authorization_code
// public String authorized(Model model) {
// String[] messages = retrieveMessages("messaging-client-auth-code");
// model.addAttribute("messages", messages);
// return "index";
// }
//
// @GetMapping(value = "/authorize", params = "grant_type=client_credentials")
// public String client_credentials_grant(Model model) {
// String[] messages = retrieveMessages("messaging-client-client-creds");
// model.addAttribute("messages", messages);
// return "index";
// }
//
// @PostMapping(value = "/authorize", params = "grant_type=password")
// public String password_grant(Model model) {
// String[] messages = retrieveMessages("messaging-client-password");
// model.addAttribute("messages", messages);
// return "index";
// }

private String[] retrieveMessages(String clientRegistrationId) {
	return this.webClient.get().uri(this.messagesBaseUri).attributes(clientRegistrationId(clientRegistrationId))
			.retrieve().bodyToMono(String[].class).block();
}

}

////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

The example seems to be suggesting that UserDetailsService is required for oauth password flow.
There appears to be no requirement to explicitly configure the service for authorization code flow.

I was hoping to get some advice from StackOverflow, with no luck so far...

I've wasted a few hours on this and given up.

1. Do u not need to configure messaging-client somewhere? It's certainly not in the keycloak realm json.
2. Keycloak server is 7. New version is 9.
3. Why am I logging on as user1? Is this user supposed to be defined in keycloak (spoiler it's not) as opposed to an in-memory one.
4. Given the breaking changes (hence this migration guide) and the subtle differences between SS and SS OAuth, this hasn't helped at all - it just muddies the water even further.

As title.

All Spring docs either use Spring Boot starters or non-Spring Boot with Java Config extending WebSecurityConfigurerAdapter. We have a pure XML config of Spring security so cannot extend WebSecurityConfigurerAdapter as it duplicates beans. How do you configure your examples with pure XML config or potentially with a mix of both Java config and XML config?