oAuth 2 clients may break with SpringBoot 3 #93
Description
Depending on the value set by an oAuth2 ProvisionedService for the ClientAuthenticationMethod field, SpringBoot 3 apps may break when acting as an oAuth2 client. The value of this field gets mapped verbatim to the Spring spring.security.oauth2.client.registration.[registrationId].client-authentication-method property via the spring-cloud-bindings library when using service binding.
Internally, this value gets converted to a ClientAuthenticationMethod instance. This works fine for SpringBoot 2.7.x and below as the class maps the following Strings to defaulted instances (Note: the values allowed in the ClientRegistration resource are deprecated):
@Deprecated
public static final ClientAuthenticationMethod BASIC = new ClientAuthenticationMethod("basic");
public static final ClientAuthenticationMethod CLIENT_SECRET_BASIC = new ClientAuthenticationMethod(
"client_secret_basic");
@Deprecated
public static final ClientAuthenticationMethod POST = new ClientAuthenticationMethod("post");
public static final ClientAuthenticationMethod CLIENT_SECRET_POST = new ClientAuthenticationMethod(
"client_secret_post");
public static final ClientAuthenticationMethod CLIENT_SECRET_JWT = new ClientAuthenticationMethod(
"client_secret_jwt");
public static final ClientAuthenticationMethod PRIVATE_KEY_JWT = new ClientAuthenticationMethod("private_key_jwt");
public static final ClientAuthenticationMethod NONE = new ClientAuthenticationMethod("none");
In boot 3, the deprecated fields are no longer available meaning the clientAuthenticationMethod does not map to valid instance if the deprecated values are used for ClientAuthenticationMethod field of the ProvisionedService. This is causing the oAuth2 process to fail when the AuthServer is redirected back to the application's callback URL.
Simply asking a ProvisionedService to update the value of this field may break other apps that are depending on the same ProvisionedService instance.