You cannot use `.block()` because it subscribes and does not have the security context as part of the subscriber con...

Describe the bugValid/existing error page is blocked by Spring Security with filter invocation [/public/error/error.jsf]...

Upon migrating an application to Spring Boot 3 I found that security config had stopped working.I went through all the m...

We should rewrite the Spring Security documentation.Comment From: spring-projects-issuesStefan Haberl said:There's a sma...

Describe the bugPasswordOAuth2AuthorizedClientProvider doesn't take refresh token expiry into account. PasswordOAuth2Aut...

When going GA, the release automation should create the appropriate for: backport-to-x.y.z label.Comment From: marcusdac...

Describe the bugSetting up spring security, I have a security config that uses http basic auth. I have two users; rob, w...

Describe the bugIf a check via the Secured Annotation fails, the spring event: AuthorizationFailureEvent is published. I...

Expected BehaviorAs Spring Security 6 is now using Java 17, we could provide more deprecation metadata thanks to the @De...

For Webflux applications, if the security configuration is configured with .cors() and there is no bean of type CorsConf...

Add support for sending bearer token in the POST body.Note that reading the request body would be a blocking operation, ...

Related to https://github.com/spring-projects/spring-security/issues/5200 and https://github.com/spring-projects/spring-...

Describe the bugIf both a HTTP basic authentication and a form login are defined, unauthenticated requests are redirecte...

Javadoc says ExpressionAuthorizationDecision was introduced since 5.6.But in reality it was introduced in 5.8.See source...

Describe the bugOur attempt to certify our OIDC support with OpenID failed because Spring Security OIDC doesn't support ...

This ticket is created based on this comment.Expected BehaviorClaimAccessor#getClaim() and ClaimAccessor#getClaimAsStrin...

Describe the bugDocumentation of org.springframework.core.convert.converter.Converter#convert clearly says "never null":...

Describe the bugWhen the authorization server returns 401 for invalid refresh token, authorized client detail is not get...

When calling loadAuthorizedClient on ReactiveOAuth2AuthorizedClientService, loadAuthorizedClient returns a Mono<OAuth...

Describe the bugEvery thread will modify the context, lead to the accessToken is modified by another thread，and get a e...