Consider requiring Spring Security 5.2 for OAuth2 authentication
scottfrederick opened this issue · 2 comments
scottfrederick commented
There are (so far) two changes in Spring Security 5.2 that will benefit Spring CredHub:
-
Spring CredHub has a copy of WebClientReactiveClientCredentialsTokenResponseClient from Spring Security so that the
WebClientcan be overridden. This ability has been added to Spring Security and will be available in 5.2, at which time Spring CredHub could delete this copied class. -
Currently a
client_credentialsgrant does not include a refresh token and won't be refreshed automatically by Spring Security when it expires. This has been addressed in Spring Security, and will be available in 5.2.
Blocked on:
- the release of Spring Security 5.2
- determining whether this release is backward-compatible for client apps using Spring Boot 5.1 or if it will require client apps to use Boot 5.2
scottfrederick commented
scottfrederick commented
Fixed via aa2ae34