Expected BehaviorWhen using the @RegisteredOAuth2AuthorizedClient or OAuth2AuthorizedClient I would like to use the OIDC...

SummaryThe ActiveDirectoryLdapAuthenticationProvider is final and does not use an AuthoritiesPopulator and LdapAuthentic...

Describe the bugUsing @PreAuthorize annotation on Class is not found when method is declared on superclass.To ReproduceT...

public abstract class AbstractController { @GetMapping("/get") public String get() { return &quot...

Expected BehaviorCan customize and set callback method in BasicAuthenticationFilter. (Such as logging, saving audit log ...

Expected BehaviorAdd a constructor with AuthenticationProvider as a factor to the DaoAuthenticationProvider classCurrent...

Expected BehaviorIt should be possible to add a custom ServerHttpHeadersWriter with Kotlin DSL, something likehttp { ...

Describe the bugSSE Configrole for token was: normal;but when i use StreamingResponseBody to send response, (when stream...

Nearly every application needs to override Spring Security's default authorization rule that all requests require the th...

Nimbus has deprecated RemoteJWKSet in favor of using JWKSourceBuilderBy association, JWKSetCache is also deprecated. Sin...

To ensure backward compatibility, Security components that implement Serializable should have a serialVersionUID.Based o...

Describe the bugWith 6.4.0, especially with this commit: https://github.com/spring-projects/spring-security/commit/ee9a8...

Describe the bugAs a Serializable class, DefaultSaml2AuthenticatedPrincipal should define serialVersionUID to avoid unne...

In the current version of Spring Security (version 6.4), a changed behavior occurs when using the @AuthenticationPrincip...

In 5.5, a change was made to disallow decryption unless the SAML 2.0 response is signed. Since this is a breaking change...

Describe the bugI implemented a rotating JWKS using Redis, where a new JWK is generated at regular intervals, and the ol...

Saml2AuthenticationToken implements Serializable, but cannot be serialized due to RelyingPartyRegistration, one of its m...

Expected BehaviorRFC 9126 introduces pushed authorization requests (PAR) for OAuth. In essence, pushed authorization req...

This theme will focus on providing consistency for Servlet and Reactive applications that use OAuth2 Client features. Ex...

We should align (Server|Servlet)OAuth2AuthorizedClientExchangeFilterFunction with OAuth2ClientHttpRequestInterceptor whi...