Package org.springframework.security.oauth2.client

Class PasswordOAuth2AuthorizedClientProvider

java.lang.Object
org.springframework.security.oauth2.client.PasswordOAuth2AuthorizedClientProvider
All Implemented Interfaces:
OAuth2AuthorizedClientProvider
@Deprecated(since="5.8", forRemoval=true) public final class PasswordOAuth2AuthorizedClientProvider extends Object implements OAuth2AuthorizedClientProvider
Deprecated, for removal: This API element is subject to removal in a future version.
The OAuth 2.0 Security Best Current Practice disallows the use of the Resource Owner Password Credentials grant. See reference OAuth 2.0 Security Best Current Practice.
An implementation of an OAuth2AuthorizedClientProvider for the password grant.
Since:
5.2
See Also:

  • Constructor Details

    • PasswordOAuth2AuthorizedClientProvider

      public PasswordOAuth2AuthorizedClientProvider()
      Deprecated, for removal: This API element is subject to removal in a future version.

  • Method Details

    • authorize

      @Nullable public OAuth2AuthorizedClient authorize(OAuth2AuthorizationContext context)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Attempt to authorize (or re-authorize) the client in the provided context. Returns null if authorization (or re-authorization) is not supported, e.g. the client's authorization grant type is not password OR the username and/or password attributes are not available in the provided context OR the access token is not expired.

      The following context attributes are supported:

      1. OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME (required) - a String value for the resource owner's username
      2. OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME (required) - a String value for the resource owner's password
      Specified by:
      authorize in interface OAuth2AuthorizedClientProvider
      Parameters:
      context - the context that holds authorization-specific state for the client
      Returns:
      the OAuth2AuthorizedClient or null if authorization (or re-authorization) is not supported

    • setAccessTokenResponseClient

      public void setAccessTokenResponseClient(OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets the client used when requesting an access token credential at the Token Endpoint for the password grant.
      Parameters:
      accessTokenResponseClient - the client used when requesting an access token credential at the Token Endpoint for the password grant

    • setClockSkew

      public void setClockSkew(Duration clockSkew)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets the maximum acceptable clock skew, which is used when checking the access token expiry. The default is 60 seconds.

      An access token is considered expired if OAuth2AccessToken#getExpiresAt() - clockSkew is before the current time clock#instant().

      Parameters:
      clockSkew - the maximum acceptable clock skew

    • setClock

      public void setClock(Clock clock)
      Deprecated, for removal: This API element is subject to removal in a future version.
      Sets the Clock used in Instant.now(Clock) when checking the access token expiry.
      Parameters:
      clock - the clock