Remove Resource Owner Password Credentials grant

Closes gh-17446

Author: jgrandja

config/src/main/java/org/springframework/security/config/annotation/web/configuration/OAuth2ClientConfiguration.java

@@ -50,13 +50,11 @@
 import org.springframework.security.oauth2.client.JwtBearerOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
-import org.springframework.security.oauth2.client.PasswordOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.TokenExchangeOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
-import org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.TokenExchangeGrantRequest;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@@ -173,7 +171,6 @@ static final class OAuth2AuthorizedClientManagerRegistrar
 				AuthorizationCodeOAuth2AuthorizedClientProvider.class,
 				RefreshTokenOAuth2AuthorizedClientProvider.class,
 				ClientCredentialsOAuth2AuthorizedClientProvider.class,
-				PasswordOAuth2AuthorizedClientProvider.class,
 				JwtBearerOAuth2AuthorizedClientProvider.class,
 				TokenExchangeOAuth2AuthorizedClientProvider.class
 		);
@@ -241,7 +238,6 @@ OAuth2AuthorizedClientManager getAuthorizedClientManager() {
 				authorizedClientProviders.add(getRefreshTokenAuthorizedClientProvider(authorizedClientProviderBeans));
 				authorizedClientProviders
 					.add(getClientCredentialsAuthorizedClientProvider(authorizedClientProviderBeans));
-				authorizedClientProviders.add(getPasswordAuthorizedClientProvider(authorizedClientProviderBeans));
 
 				OAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = getJwtBearerAuthorizedClientProvider(
 						authorizedClientProviderBeans);
@@ -331,24 +327,6 @@ private OAuth2AuthorizedClientProvider getClientCredentialsAuthorizedClientProvi
 			return authorizedClientProvider;
 		}
 
-		private OAuth2AuthorizedClientProvider getPasswordAuthorizedClientProvider(
-				Collection<OAuth2AuthorizedClientProvider> authorizedClientProviders) {
-			PasswordOAuth2AuthorizedClientProvider authorizedClientProvider = getAuthorizedClientProviderByType(
-					authorizedClientProviders, PasswordOAuth2AuthorizedClientProvider.class);
-			if (authorizedClientProvider == null) {
-				authorizedClientProvider = new PasswordOAuth2AuthorizedClientProvider();
-			}
-
-			OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = getBeanOfType(
-					ResolvableType.forClassWithGenerics(OAuth2AccessTokenResponseClient.class,
-							OAuth2PasswordGrantRequest.class));
-			if (accessTokenResponseClient != null) {
-				authorizedClientProvider.setAccessTokenResponseClient(accessTokenResponseClient);
-			}
-
-			return authorizedClientProvider;
-		}
-
 		private OAuth2AuthorizedClientProvider getJwtBearerAuthorizedClientProvider(
 				Collection<OAuth2AuthorizedClientProvider> authorizedClientProviders) {
 			JwtBearerOAuth2AuthorizedClientProvider authorizedClientProvider = getAuthorizedClientProviderByType(

config/src/main/java/org/springframework/security/config/annotation/web/reactive/ReactiveOAuth2ClientConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -43,15 +43,13 @@
 import org.springframework.security.oauth2.client.ClientCredentialsReactiveOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.DelegatingReactiveOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.JwtBearerReactiveOAuth2AuthorizedClientProvider;
-import org.springframework.security.oauth2.client.PasswordReactiveOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientManager;
 import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientService;
 import org.springframework.security.oauth2.client.RefreshTokenReactiveOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.TokenExchangeReactiveOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
-import org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.ReactiveOAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.TokenExchangeGrantRequest;
@@ -137,7 +135,6 @@ static final class ReactiveOAuth2AuthorizedClientManagerRegistrar
 				AuthorizationCodeReactiveOAuth2AuthorizedClientProvider.class,
 				RefreshTokenReactiveOAuth2AuthorizedClientProvider.class,
 				ClientCredentialsReactiveOAuth2AuthorizedClientProvider.class,
-				PasswordReactiveOAuth2AuthorizedClientProvider.class,
 				JwtBearerReactiveOAuth2AuthorizedClientProvider.class,
 				TokenExchangeReactiveOAuth2AuthorizedClientProvider.class
 		);
@@ -212,7 +209,6 @@ ReactiveOAuth2AuthorizedClientManager getAuthorizedClientManager() {
 				authorizedClientProviders.add(getRefreshTokenAuthorizedClientProvider(authorizedClientProviderBeans));
 				authorizedClientProviders
 					.add(getClientCredentialsAuthorizedClientProvider(authorizedClientProviderBeans));
-				authorizedClientProviders.add(getPasswordAuthorizedClientProvider(authorizedClientProviderBeans));
 
 				ReactiveOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = getJwtBearerAuthorizedClientProvider(
 						authorizedClientProviderBeans);
@@ -301,24 +297,6 @@ private ReactiveOAuth2AuthorizedClientProvider getClientCredentialsAuthorizedCli
 			return authorizedClientProvider;
 		}
 
-		private ReactiveOAuth2AuthorizedClientProvider getPasswordAuthorizedClientProvider(
-				Collection<ReactiveOAuth2AuthorizedClientProvider> authorizedClientProviders) {
-			PasswordReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = getAuthorizedClientProviderByType(
-					authorizedClientProviders, PasswordReactiveOAuth2AuthorizedClientProvider.class);
-			if (authorizedClientProvider == null) {
-				authorizedClientProvider = new PasswordReactiveOAuth2AuthorizedClientProvider();
-			}
-
-			ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = getBeanOfType(
-					ResolvableType.forClassWithGenerics(ReactiveOAuth2AccessTokenResponseClient.class,
-							OAuth2PasswordGrantRequest.class));
-			if (accessTokenResponseClient != null) {
-				authorizedClientProvider.setAccessTokenResponseClient(accessTokenResponseClient);
-			}
-
-			return authorizedClientProvider;
-		}
-
 		private ReactiveOAuth2AuthorizedClientProvider getJwtBearerAuthorizedClientProvider(
 				Collection<ReactiveOAuth2AuthorizedClientProvider> authorizedClientProviders) {
 			JwtBearerReactiveOAuth2AuthorizedClientProvider authorizedClientProvider = getAuthorizedClientProviderByType(

config/src/main/java/org/springframework/security/config/http/OAuth2AuthorizedClientManagerRegistrar.java

@@ -43,13 +43,11 @@
 import org.springframework.security.oauth2.client.JwtBearerOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider;
-import org.springframework.security.oauth2.client.PasswordOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.TokenExchangeOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
-import org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.TokenExchangeGrantRequest;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
@@ -78,7 +76,6 @@ final class OAuth2AuthorizedClientManagerRegistrar implements BeanDefinitionRegi
 			AuthorizationCodeOAuth2AuthorizedClientProvider.class,
 			RefreshTokenOAuth2AuthorizedClientProvider.class,
 			ClientCredentialsOAuth2AuthorizedClientProvider.class,
-			PasswordOAuth2AuthorizedClientProvider.class,
 			JwtBearerOAuth2AuthorizedClientProvider.class,
 			TokenExchangeOAuth2AuthorizedClientProvider.class
 	);
@@ -133,7 +130,6 @@ private OAuth2AuthorizedClientManager getAuthorizedClientManager() {
 			authorizedClientProviders.add(getAuthorizationCodeAuthorizedClientProvider(authorizedClientProviderBeans));
 			authorizedClientProviders.add(getRefreshTokenAuthorizedClientProvider(authorizedClientProviderBeans));
 			authorizedClientProviders.add(getClientCredentialsAuthorizedClientProvider(authorizedClientProviderBeans));
-			authorizedClientProviders.add(getPasswordAuthorizedClientProvider(authorizedClientProviderBeans));
 
 			OAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider = getJwtBearerAuthorizedClientProvider(
 					authorizedClientProviderBeans);
@@ -225,24 +221,6 @@ private OAuth2AuthorizedClientProvider getClientCredentialsAuthorizedClientProvi
 		return authorizedClientProvider;
 	}
 
-	private OAuth2AuthorizedClientProvider getPasswordAuthorizedClientProvider(
-			Collection<OAuth2AuthorizedClientProvider> authorizedClientProviders) {
-		PasswordOAuth2AuthorizedClientProvider authorizedClientProvider = getAuthorizedClientProviderByType(
-				authorizedClientProviders, PasswordOAuth2AuthorizedClientProvider.class);
-		if (authorizedClientProvider == null) {
-			authorizedClientProvider = new PasswordOAuth2AuthorizedClientProvider();
-		}
-
-		OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = getBeanOfType(
-				ResolvableType.forClassWithGenerics(OAuth2AccessTokenResponseClient.class,
-						OAuth2PasswordGrantRequest.class));
-		if (accessTokenResponseClient != null) {
-			authorizedClientProvider.setAccessTokenResponseClient(accessTokenResponseClient);
-		}
-
-		return authorizedClientProvider;
-	}
-
 	private OAuth2AuthorizedClientProvider getJwtBearerAuthorizedClientProvider(
 			Collection<OAuth2AuthorizedClientProvider> authorizedClientProviders) {
 		JwtBearerOAuth2AuthorizedClientProvider authorizedClientProvider = getAuthorizedClientProviderByType(

config/src/test/java/org/springframework/security/config/annotation/web/configuration/OAuth2AuthorizedClientManagerConfigurationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,11 +20,7 @@
 import java.time.Instant;
 import java.util.Arrays;
 import java.util.Collections;
-import java.util.HashMap;
 import java.util.HashSet;
-import java.util.Map;
-import java.util.Objects;
-import java.util.function.Consumer;
 
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
@@ -48,21 +44,18 @@
 import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
-import org.springframework.security.oauth2.client.PasswordOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.TokenExchangeOAuth2AuthorizedClientProvider;
 import org.springframework.security.oauth2.client.endpoint.AbstractOAuth2AuthorizationGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.JwtBearerGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
 import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2ClientCredentialsGrantRequest;
-import org.springframework.security.oauth2.client.endpoint.OAuth2PasswordGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
 import org.springframework.security.oauth2.client.endpoint.TokenExchangeGrantRequest;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
-import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
@@ -71,13 +64,11 @@
 import org.springframework.security.oauth2.core.OAuth2Error;
 import org.springframework.security.oauth2.core.TestOAuth2RefreshTokens;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
-import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
 import org.springframework.security.oauth2.core.endpoint.TestOAuth2AccessTokenResponses;
 import org.springframework.security.oauth2.jwt.JoseHeaderNames;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtClaimNames;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
-import org.springframework.util.StringUtils;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
@@ -237,50 +228,6 @@ private void testClientCredentialsGrant() {
 		assertThat(grantRequest.getGrantType()).isEqualTo(AuthorizationGrantType.CLIENT_CREDENTIALS);
 	}
 
-	@Test
-	public void authorizeWhenPasswordAccessTokenResponseClientBeanThenUsed() {
-		this.spring.register(CustomAccessTokenResponseClientsConfig.class).autowire();
-		testPasswordGrant();
-	}
-
-	@Test
-	public void authorizeWhenPasswordAuthorizedClientProviderBeanThenUsed() {
-		this.spring.register(CustomAuthorizedClientProvidersConfig.class).autowire();
-		testPasswordGrant();
-	}
-
-	private void testPasswordGrant() {
-		OAuth2AccessTokenResponse accessTokenResponse = TestOAuth2AccessTokenResponses.accessTokenResponse().build();
-		given(MOCK_RESPONSE_CLIENT.getTokenResponse(any(OAuth2PasswordGrantRequest.class)))
-			.willReturn(accessTokenResponse);
-
-		TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password");
-		ClientRegistration clientRegistration = this.clientRegistrationRepository.findByRegistrationId("facebook");
-		// @formatter:off
-		OAuth2AuthorizeRequest authorizeRequest = OAuth2AuthorizeRequest
-				.withClientRegistrationId(clientRegistration.getRegistrationId())
-				.principal(authentication)
-				.attribute(HttpServletRequest.class.getName(), this.request)
-				.attribute(HttpServletResponse.class.getName(), this.response)
-				.build();
-		// @formatter:on
-		this.request.setParameter(OAuth2ParameterNames.USERNAME, "user");
-		this.request.setParameter(OAuth2ParameterNames.PASSWORD, "password");
-		OAuth2AuthorizedClient authorizedClient = this.authorizedClientManager.authorize(authorizeRequest);
-		assertThat(authorizedClient).isNotNull();
-
-		ArgumentCaptor<OAuth2PasswordGrantRequest> grantRequestCaptor = ArgumentCaptor
-			.forClass(OAuth2PasswordGrantRequest.class);
-		verify(MOCK_RESPONSE_CLIENT).getTokenResponse(grantRequestCaptor.capture());
-
-		OAuth2PasswordGrantRequest grantRequest = grantRequestCaptor.getValue();
-		assertThat(grantRequest.getClientRegistration().getRegistrationId())
-			.isEqualTo(clientRegistration.getRegistrationId());
-		assertThat(grantRequest.getGrantType()).isEqualTo(AuthorizationGrantType.PASSWORD);
-		assertThat(grantRequest.getUsername()).isEqualTo("user");
-		assertThat(grantRequest.getPassword()).isEqualTo("password");
-	}
-
 	@Test
 	public void authorizeWhenJwtBearerAccessTokenResponseClientBeanThenUsed() {
 		this.spring.register(CustomAccessTokenResponseClientsConfig.class).autowire();
@@ -400,11 +347,6 @@ OAuth2AccessTokenResponseClient<OAuth2ClientCredentialsGrantRequest> clientCrede
 			return new MockAccessTokenResponseClient<>();
 		}
 
-		@Bean
-		OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> passwordTokenResponseClient() {
-			return new MockAccessTokenResponseClient<>();
-		}
-
 		@Bean
 		OAuth2AccessTokenResponseClient<JwtBearerGrantRequest> jwtBearerTokenResponseClient() {
 			return new MockAccessTokenResponseClient<>();
@@ -440,13 +382,6 @@ ClientCredentialsOAuth2AuthorizedClientProvider clientCredentialsProvider() {
 			return authorizedClientProvider;
 		}
 
-		@Bean
-		PasswordOAuth2AuthorizedClientProvider passwordProvider() {
-			PasswordOAuth2AuthorizedClientProvider authorizedClientProvider = new PasswordOAuth2AuthorizedClientProvider();
-			authorizedClientProvider.setAccessTokenResponseClient(new MockAccessTokenResponseClient<>());
-			return authorizedClientProvider;
-		}
-
 		@Bean
 		JwtBearerOAuth2AuthorizedClientProvider jwtBearerAuthorizedClientProvider() {
 			JwtBearerOAuth2AuthorizedClientProvider authorizedClientProvider = new JwtBearerOAuth2AuthorizedClientProvider();
@@ -479,11 +414,6 @@ ClientRegistrationRepository clientRegistrationRepository() {
 							.clientSecret("github-client-secret")
 							.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
 							.build(),
-					CommonOAuth2Provider.FACEBOOK.getBuilder("facebook")
-							.clientId("facebook-client-id")
-							.clientSecret("facebook-client-secret")
-							.authorizationGrantType(AuthorizationGrantType.PASSWORD)
-							.build(),
 					CommonOAuth2Provider.OKTA.getBuilder("okta")
 							.clientId("okta-client-id")
 							.clientSecret("okta-client-secret")
@@ -505,26 +435,6 @@ OAuth2AuthorizedClientRepository authorizedClientRepository() {
 			return mock(OAuth2AuthorizedClientRepository.class);
 		}
 
-		@Bean
-		Consumer<DefaultOAuth2AuthorizedClientManager> authorizedClientManagerConsumer() {
-			return (authorizedClientManager) -> authorizedClientManager
-				.setContextAttributesMapper((authorizeRequest) -> {
-					HttpServletRequest request = Objects
-						.requireNonNull(authorizeRequest.getAttribute(HttpServletRequest.class.getName()));
-					String username = request.getParameter(OAuth2ParameterNames.USERNAME);
-					String password = request.getParameter(OAuth2ParameterNames.PASSWORD);
-
-					Map<String, Object> attributes = Collections.emptyMap();
-					if (StringUtils.hasText(username) && StringUtils.hasText(password)) {
-						attributes = new HashMap<>();
-						attributes.put(OAuth2AuthorizationContext.USERNAME_ATTRIBUTE_NAME, username);
-						attributes.put(OAuth2AuthorizationContext.PASSWORD_ATTRIBUTE_NAME, password);
-					}
-
-					return attributes;
-				});
-		}
-
 	}
 
 	private static class MockAccessTokenResponseClient<T extends AbstractOAuth2AuthorizationGrantRequest>