This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.5.0!

OAuth 2.0 Migrations

Validate typ Header with JwtTypeValidator

If when following the 6.5 preparatory steps you set validateTypes to false, you can now remove it. You can also remove explicitly adding JwtTypeValidator to the list of defaults.

For example, change this:

  • Java

  • Kotlin

@Bean
JwtDecoder jwtDecoder() {
	NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        .validateTypes(false) (1)
        // ... your remaining configuration
        .build();
	jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
		new JwtIssuerValidator(location), JwtTypeValidator.jwt())); (2)
	return jwtDecoder;
}
@Bean
fun jwtDecoder(): JwtDecoder {
    val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        .validateTypes(false) (1)
        // ... your remaining configuration
        .build()
    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
        JwtIssuerValidator(location), JwtTypeValidator.jwt())) (2)
    return jwtDecoder
}
1 - Switch off Nimbus verifying the typ
2 - Add the default typ validator

to this:

  • Java

  • Kotlin

@Bean
JwtDecoder jwtDecoder() {
	NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        // ... your remaining configuration (1)
        .build();
	jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(location)); (2)
	return jwtDecoder;
}
@Bean
fun jwtDecoder(): JwtDecoder {
    val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        // ... your remaining configuration
        .build()
    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(location)) (2)
    return jwtDecoder
}
1 - validateTypes now defaults to false
2 - JwtTypeValidator#jwt is added by all createDefaultXXX methods

Do Not Process <saml2:Response> GET Requests with Saml2AuthenticationTokenConverter

Spring Security does not support processing <saml2:Response> payloads over GET as this is not supported by the SAML 2.0 spec.

To better comply with this, Saml2AuthenticationTokenConverter, OpenSaml4AuthenticationTokenConverter, and OpenSaml5AuthenticationTokenConverter will not process GET requests by default as of Spring Security 8. To prepare for this, the property shouldConvertGetRequests is available. To use it, publish your own converter like so:

  • Java

  • Kotlin

@Bean
OpenSaml5AuthenticationTokenConverter authenticationConverter(RelyingPartyRegistrationRepository registrations) {
	OpenSaml5AuthenticationTokenConverter authenticationConverter = new OpenSaml5AuthenticationTokenConverter(registrations);
	authenticationConverter.setShouldConvertGetRequests(false);
	return authenticationConverter;
}
@Bean
fun authenticationConverter(val registrations: RelyingPartyRegistrationRepository): Saml2AuthenticationTokenConverter {
	val authenticationConverter = Saml2AuthenticationTokenConverter(registrations)
	authenticationConverter.setShouldConvertGetRequests(false)
	return authenticationConverter
}

If you must continue using Saml2AuthenticationTokenConverter, OpenSaml4AuthenticationTokenConverter, or OpenSaml5AuthenticationTokenConverter to process GET requests, you can call setShouldConvertGetRequests to true.

Provide an AuthenticationConverter to BearerTokenAuthenticationFilter

In Spring Security 7, BearerTokenAuthenticationFilter#setBearerTokenResolver and #setAuthenticaionDetailsSource are deprecated in favor of configuring those on BearerTokenAuthenticationConverter.

The oauth2ResourceServer DSL addresses most use cases and you need to nothing.

If you are setting a BearerTokenResolver or AuthenticationDetailsSource directly on BearerTokenAuthenticationFilter similar to the following:

  • Java

  • Kotlin

BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(authenticationManager);
filter.setBearerTokenResolver(myBearerTokenResolver);
filter.setAuthenticationDetailsSource(myAuthenticationDetailsSource);
val filter = BearerTokenAuthenticationFilter(authenticationManager)
filter.setBearerTokenResolver(myBearerTokenResolver)
filter.setAuthenticationDetailsSource(myAuthenticationDetailsSource)

you are encouraged to use BearerTokenAuthenticationConverter to specify both:

  • Java

  • Kotlin

BearerTokenAuthenticationConverter authenticationConverter =
    new BearerTokenAuthenticationConverter();
authenticationConverter.setBearerTokenResolver(myBearerTokenResolver);
authenticationConverter.setAuthenticationDetailsSource(myAuthenticationDetailsSource);
BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(authenticationManager, authenicationConverter);
val authenticationConverter = BearerTokenAuthenticationConverter()
authenticationConverter.setBearerTokenResolver(myBearerTokenResolver)
authenticationConverter.setAuthenticationDetailsSource(myAuthenticationDetailsSource)
val filter = BearerTokenAuthenticationFilter(authenticationManager, authenticationConverter)