We should align (Server|Servlet)OAuth2AuthorizedClientExchangeFilterFunction with OAuth2ClientHttpRequestInterceptor whi...

Requires upgrading buildSrc in 5.8.x to use JDK 17 due to spring-security-release-plugin built against JDK 17.Related gh...

Describe the bugSince migrating to Spring Security 6, Calling APIs using simple jQuery/XHR with basic auth results in fi...

Based off of https://github.com/spring-projects/spring-security/issues/15155Cut the 6.4.x release branchUpdate SecurityN...

UpdatedWhen the HTTP Method is rejected MethodRejectedException will be thrown.NOTE: We are not going to do custom excep...

Spun out from #6219.We need the ability to apply a UserDetailsChecker to the OAuth2 Resource Server flows.My initial tho...

Describe the bugfollowing up the discussion in https://github.com/spring-cloud/spring-cloud-gateway/issues/3636, it's no...

RemoteJWKSet use synchronized for synchronization. But this will suspend the carrier thread.In some specific situations,...

Describe the bugWhen request wrapped by StrictServerWebExchangeFirewall / StrictFirewallHttpRequest is mutated, header s...

Describe the bug In the process of oidc authentication by default oauth2 client, I think DefaultOAuth2UserService#loadU...

Some of the code snippets in the documentation have separate sections for XML rather than placing it along with Java &am...

Describe the bugAs mentioned in gitter...My app currently runs on Spring Boot 2.7.4. I was testing compatibility with 3....

Expected BehaviorWhen we configure MessageMatcherDelegatingAuthorizationManager it should be possible to provide an inst...

Expected BehaviorNeed to have an ability to get access to a ServerHttpSecurity object after it has been instantiated in ...

Currently the web based authorization rules are specified in a specific order and the first rule that matches the reques...

Describe the bugObservationAuthorizationManager custom MessageSource implementation in AccessDeniedException message loc...

Describe the bugI'm trying to use Spring Security in combination with ACLs. I use PostgreSQL as my database and have use...

This issue is similar to #8453I'm using Spring Security 5.4.5. The placeholders in tag are not resolved. Hard-coded val...

RFC9449 introduces a way to constraint tokens (access_token, refresh_token) to a client provided pub key.For a resource ...

Describe the bugWhen upgrading Spring boot from 3.2.5 to Spring boot 3.3.0, which contains a new version of Spring secur...