spring-projects
diff --git a/‎docs/src/docs/asciidoc/configuration-model.adoc‎
Lines changed: 31 additions & 9 deletions b/‎docs/src/docs/asciidoc/configuration-model.adoc‎
Lines changed: 31 additions & 9 deletions
diff --git a/‎docs/src/docs/asciidoc/examples/src/main/java/sample/gettingStarted/SecurityConfig.java‎
Lines changed: 3 additions & 0 deletions b/‎docs/src/docs/asciidoc/examples/src/main/java/sample/gettingStarted/SecurityConfig.java‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/src/docs/asciidoc/examples/src/main/java/sample/userinfo/EnableUserInfoSecurityConfig.java‎
Lines changed: 3 additions & 0 deletions b/‎docs/src/docs/asciidoc/examples/src/main/java/sample/userinfo/EnableUserInfoSecurityConfig.java‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎docs/src/docs/asciidoc/examples/src/test/java/sample/jpa/JpaTests.java‎
Lines changed: 31 additions & 2 deletions b/‎docs/src/docs/asciidoc/examples/src/test/java/sample/jpa/JpaTests.java‎
Lines changed: 31 additions & 2 deletions
diff --git a/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java‎
Lines changed: 17 additions & 1 deletion b/‎oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/OAuth2AuthorizationEndpointConfigurer.java‎
Lines changed: 17 additions & 1 deletion
@@ -19,15 +19,10 @@ The OAuth2 authorization server `SecurityFilterChain` `@Bean` is configured with
 * xref:protocol-endpoints.adoc#oauth2-token-revocation-endpoint[OAuth2 Token Revocation endpoint]
 * xref:protocol-endpoints.adoc#oauth2-authorization-server-metadata-endpoint[OAuth2 Authorization Server Metadata endpoint]
 * xref:protocol-endpoints.adoc#jwk-set-endpoint[JWK Set endpoint]
-* xref:protocol-endpoints.adoc#oidc-provider-configuration-endpoint[OpenID Connect 1.0 Provider Configuration endpoint]
-* xref:protocol-endpoints.adoc#oidc-user-info-endpoint[OpenID Connect 1.0 UserInfo endpoint]
 
 [NOTE]
 The JWK Set endpoint is configured *only* if a `JWKSource<SecurityContext>` `@Bean` is registered.
 
-[NOTE]
-The xref:protocol-endpoints.adoc#oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration endpoint] is disabled by default because many deployments do not require dynamic client registration.
-
 The following example shows how to use `OAuth2AuthorizationServerConfiguration` to apply the minimal default configuration:
 
 [source,java]
@@ -55,6 +50,29 @@ public class AuthorizationServerConfig {
 [IMPORTANT]
 The https://datatracker.ietf.org/doc/html/rfc6749#section-4.1[authorization_code grant] requires the resource owner to be authenticated. Therefore, a user authentication mechanism *must* be configured in addition to the default OAuth2 security configuration.
 
+https://openid.net/specs/openid-connect-core-1_0.html[OpenID Connect 1.0] is disabled in the default configuration. The following example shows how to enable OpenID Connect 1.0 by initializing the `OidcConfigurer`:
+
+[source,java]
+----
+@Bean
+public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
+	OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
+
+	http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
+		.oidc(Customizer.withDefaults());	// Initialize `OidcConfigurer`
+
+	return http.build();
+}
+----
+
+In addition to the default protocol endpoints, the OAuth2 authorization server `SecurityFilterChain` `@Bean` is configured with the following OpenID Connect 1.0 protocol endpoints:
+
+* xref:protocol-endpoints.adoc#oidc-provider-configuration-endpoint[OpenID Connect 1.0 Provider Configuration endpoint]
+* xref:protocol-endpoints.adoc#oidc-user-info-endpoint[OpenID Connect 1.0 UserInfo endpoint]
+
+[NOTE]
+The xref:protocol-endpoints.adoc#oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration endpoint] is disabled by default because many deployments do not require dynamic client registration.
+
 [TIP]
 `OAuth2AuthorizationServerConfiguration.jwtDecoder(JWKSource<SecurityContext>)` is a convenience (`static`) utility method that can be used to register a `JwtDecoder` `@Bean`, which is *REQUIRED* for the xref:protocol-endpoints.adoc#oidc-user-info-endpoint[OpenID Connect 1.0 UserInfo endpoint] and the xref:protocol-endpoints.adoc#oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration endpoint].
 
@@ -98,9 +116,11 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
 		.tokenEndpoint(tokenEndpoint -> { })    <8>
 		.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint -> { })  <9>
 		.tokenRevocationEndpoint(tokenRevocationEndpoint -> { })    <10>
+		.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint -> { })    <11>
 		.oidc(oidc -> oidc
-			.userInfoEndpoint(userInfoEndpoint -> { })  <11>
-			.clientRegistrationEndpoint(clientRegistrationEndpoint -> { })  <12>
+			.providerConfigurationEndpoint(providerConfigurationEndpoint -> { })    <12>
+			.userInfoEndpoint(userInfoEndpoint -> { })  <13>
+			.clientRegistrationEndpoint(clientRegistrationEndpoint -> { })  <14>
 		);
 
 	return http.build();
@@ -116,8 +136,10 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
 <8> `tokenEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oauth2-token-endpoint[OAuth2 Token endpoint].
 <9> `tokenIntrospectionEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oauth2-token-introspection-endpoint[OAuth2 Token Introspection endpoint].
 <10> `tokenRevocationEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oauth2-token-revocation-endpoint[OAuth2 Token Revocation endpoint].
-<11> `userInfoEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oidc-user-info-endpoint[OpenID Connect 1.0 UserInfo endpoint].
-<12> `clientRegistrationEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration endpoint].
+<11> `authorizationServerMetadataEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oauth2-authorization-server-metadata-endpoint[OAuth2 Authorization Server Metadata endpoint].
+<12> `providerConfigurationEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oidc-provider-configuration-endpoint[OpenID Connect 1.0 Provider Configuration endpoint].
+<13> `userInfoEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oidc-user-info-endpoint[OpenID Connect 1.0 UserInfo endpoint].
+<14> `clientRegistrationEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration endpoint].
 
 [[configuring-authorization-server-settings]]
 == Configuring Authorization Server Settings
 
@@ -42,6 +42,7 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
+import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -56,6 +57,8 @@ public class SecurityConfig {
 	public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
 			throws Exception {
 		OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
+		http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
+			.oidc(Customizer.withDefaults());	// Enable OpenID Connect 1.0
 		// @formatter:off
 		http
 			// Redirect to the login page when not authenticated from the
 
@@ -44,6 +44,7 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
+import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
 import org.springframework.security.oauth2.server.authorization.settings.ClientSettings;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -57,6 +58,8 @@ public class EnableUserInfoSecurityConfig {
 	@Order(1)
 	public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
 		OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
+		http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
+			.oidc(Customizer.withDefaults());	// Enable OpenID Connect 1.0
 		// @formatter:off
 		http
 			.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt) // <2>
 
@@ -36,8 +36,12 @@
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.annotation.Import;
+import org.springframework.core.Ordered;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
@@ -49,6 +53,10 @@
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
 import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
 import org.springframework.security.oauth2.server.authorization.config.annotation.web.configuration.OAuth2AuthorizationServerConfiguration;
+import org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2AuthorizationServerConfigurer;
+import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.util.StringUtils;
 
@@ -133,9 +141,25 @@ private OAuth2Authorization findAuthorization(String token, String tokenType) {
 	@EnableWebSecurity
 	@EnableAutoConfiguration
 	@ComponentScan
-	@Import(OAuth2AuthorizationServerConfiguration.class)
 	static class AuthorizationServerConfig {
 
+		@Bean
+		@Order(Ordered.HIGHEST_PRECEDENCE)
+		public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
+			OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
+			http.getConfigurer(OAuth2AuthorizationServerConfigurer.class)
+					.oidc(Customizer.withDefaults());	// Enable OpenID Connect 1.0
+
+			// @formatter:off
+			http
+				.exceptionHandling(exceptions ->
+					exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
+				)
+				.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
+			// @formatter:on
+			return http.build();
+		}
+
 		@Bean
 		public JWKSource<SecurityContext> jwkSource() {
 			JWKSet jwkSet = new JWKSet(TestJwks.DEFAULT_RSA_JWK);
@@ -147,6 +171,11 @@ public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
 			return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
 		}
 
+		@Bean
+		public AuthorizationServerSettings authorizationServerSettings() {
+			return AuthorizationServerSettings.builder().build();
+		}
+
 	}
 
 }
@@ -28,9 +28,11 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationResponse;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationContext;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken;
+import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationValidator;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationConsentAuthenticationProvider;
 import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationConsentAuthenticationToken;
 import org.springframework.security.oauth2.server.authorization.settings.AuthorizationServerSettings;
@@ -65,6 +67,7 @@ public final class OAuth2AuthorizationEndpointConfigurer extends AbstractOAuth2C
 	private AuthenticationSuccessHandler authorizationResponseHandler;
 	private AuthenticationFailureHandler errorResponseHandler;
 	private String consentPage;
+	private Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authorizationCodeRequestAuthenticationValidator;
 
 	/**
 	 * Restrict for internal use only.
@@ -189,6 +192,14 @@ public OAuth2AuthorizationEndpointConfigurer consentPage(String consentPage) {
 		return this;
 	}
 
+	void addAuthorizationCodeRequestAuthenticationValidator(
+			Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator) {
+		this.authorizationCodeRequestAuthenticationValidator =
+				this.authorizationCodeRequestAuthenticationValidator == null ?
+						authenticationValidator :
+						this.authorizationCodeRequestAuthenticationValidator.andThen(authenticationValidator);
+	}
+
 	@Override
 	void init(HttpSecurity httpSecurity) {
 		AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils.getAuthorizationServerSettings(httpSecurity);
@@ -251,14 +262,19 @@ private static List<AuthenticationConverter> createDefaultAuthenticationConverte
 		return authenticationConverters;
 	}
 
-	private static List<AuthenticationProvider> createDefaultAuthenticationProviders(HttpSecurity httpSecurity) {
+	private List<AuthenticationProvider> createDefaultAuthenticationProviders(HttpSecurity httpSecurity) {
 		List<AuthenticationProvider> authenticationProviders = new ArrayList<>();
 
 		OAuth2AuthorizationCodeRequestAuthenticationProvider authorizationCodeRequestAuthenticationProvider =
 				new OAuth2AuthorizationCodeRequestAuthenticationProvider(
 						OAuth2ConfigurerUtils.getRegisteredClientRepository(httpSecurity),
 						OAuth2ConfigurerUtils.getAuthorizationService(httpSecurity),
 						OAuth2ConfigurerUtils.getAuthorizationConsentService(httpSecurity));
+		if (this.authorizationCodeRequestAuthenticationValidator != null) {
+			authorizationCodeRequestAuthenticationProvider.setAuthenticationValidator(
+					new OAuth2AuthorizationCodeRequestAuthenticationValidator()
+							.andThen(this.authorizationCodeRequestAuthenticationValidator));
+		}
 		authenticationProviders.add(authorizationCodeRequestAuthenticationProvider);
 
 		OAuth2AuthorizationConsentAuthenticationProvider authorizationConsentAuthenticationProvider =