UserAuthorities is a new core interface similar to UserDetails. The difference is that UserAuthorities does not include password/credentials information. This is helpful for scenarios where a password is not required. Right now UserDetails is leveraged for x509 and CAS which don't require passwords, but passkeys and one time tokens is yet another place that it is strange to have UserDetails linked to the them.
Ideally, UserDetails should extend UserAuthorities and UserDetailsService should extend UserAuthoritiesRepository.
Comment From: marcusdacoregio
There are a few places where UserDetails is leveraged but a password is not required:
- CasAuthenticationProvider
- PreAuthenticatedAuthenticationProvider
- UserDetailsServiceLdapAuthoritiesPopulator
- OneTimeTokenAuthenticationProvider (new)
- PersistentTokenBasedRememberMeServices
- SwitchUserFilter
However, it is not clear yet what will be the impacts of switching from UserDetails to UserAuthorities on those places and others. We should also consider whether the boolean properties in UserDetails should be moved to UserAuthorities.
Another alternative is to make it very explicit that the UserDetails#getPassword can be null.
With that said, I'll close https://github.com/spring-projects/spring-security/pull/15432 for now because we need more time to figure that out.