Need to add public modifier to setClock method in InMemoryOneTimeTokenService.Comment From: rwinchClosing in favor of gh...

I have recently integrated Token Exchange into my project as I need to perform long-lived background tasks on behalf of ...

Similar to OAuth2ClientHttpRequestInterceptor.ClientRegistrationIdResolver, we need a way to customize how the principal...

Hi,I upgraded from 5.7.x to 5.8.0 and replaced the deprecated antMatchers(String...) with requestMatchers(String...) as ...

I am configuring a bean of type SecurityFilterChain in a very simple spring boot application with jsp .URI's like / or /...

I'm using spring boot 3.3.1/spring security with oauth2. My Oauth2 / OIDC Provider is behind an Http Proxy. I need to c...

I upgraded my multi module gradle(v8.2) project from spring 5.3.34 to spring 6.1.18In "core" module I have SpringWebSecu...

The current default in Spring Security is that all its observations--filter chain, authentication, and authorization--ar...

To configure which observations Security should make, it's needed to provide an ObservationPredicate. For example, in a ...

This feature will partially implement JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization...

Describe the bugJwtDecoderProviderConfigurationUtils use UriComponentsBuilder to modify a URI in oidc, oidcRfc8414 and o...

Describe the bugIn the xClaim command of Redisson, the validation is incorrectly applied to the idleTime parameter inste...

Spring Security 6.2.5Without any customization, the default RequestCache is HttpSessionRequestCache (created by private ...

Describe the bugSpring Security documentation: CORS provides an example on how to configure CORS using a @Bean of type C...

The OAuth 2.0 for Browser-Based Apps draft outlines the use of an HTTP-Only cookie to resolve the bearer token when the ...

Expected BehaviorUsers should be able to specify a SpEL expression on the JwtGrantedAuthoritiesConverter to extract the ...

Internal to many of Spring Security's configuration classes is a technique for ensuring that it only uses beans with a u...

Given #15816, it may be easier to make Spring Security's bean resolution policy more consistent.Reports like #15751 and ...

Expected BehaviorJust like OAuth2LoginSpec, OAuth2ClientSpec should get ReactiveOAuth2AccessTokenResponseClient from Spr...

Describe the bugI'm overriding the authenticationManager method from the WebSecurityConfigurerAdapter in order to create...