What’s New in Spring Security 6.5

Spring Security 6.5 provides a number of new features. Below are the highlights of the release, or you can view the release notes for a detailed listing of each feature and bug fix.

New Features

Support for automatic context-propagation with Micrometer (gh-16665)
OAuth 2.0 Demonstrating Proof of Possession (DPoP) (gh-16574)

Breaking Changes

Observability

The security.security.reached.filter.section key name was corrected to spring.security.reached.filter.section. Note that this may affect reports that operate on this key name.

OAuth

gh-16386 - Enable PKCE for confidential clients using ClientRegistration.clientSettings.requireProofKey=true for servlet and reactive applications
gh-16913 - Prepare OAuth2 Client deprecations for removal in Spring Security 7

WebAuthn

gh-16282 - JDBC Persistence for WebAuthn/Passkeys
gh-16397 - Added the ability to configure a custom HttpMessageConverter for Passkeys using the optional messageConverter property on the webAuthn DSL.
gh-16396 - Added the ability to configure a custom PublicKeyCredentialCreationOptionsRepository

One-Time Token Login

gh-16291 - oneTimeTokenLogin() now supports customizing GenerateOneTimeTokenRequest via GenerateOneTimeTokenRequestResolver