Issues targeted for 5.0

[jgrandja]

The following issues are required to be completed for 5.0 release:

• Revisit oauth2 module structure #4297 Revisit oauth2 module structure

• Re-structure OAuth2AuthenticationToken #4553 Re-structure OAuth2AuthenticationToken

• OAuth2AuthenticationToken.ClientRegistration -> AuthorizedClient #4520 OAuth2AuthenticationToken.ClientRegistration -> AuthorizedClient

• Introduce OIDC Client and User Authentication #4521 Introduce OIDC Client and User Authentication

• Move additionalParameters to TokenResponseAttributes #4554 Move additionalParameters to TokenResponseAttributes

• Remove OAuth2AuthenticationToken.AccessToken #4522 Remove OAuth2AuthenticationToken.AccessToken

• Split up NimbusOAuth2UserService #4447 Split up NimbusOAuth2UserService

• Retrieving the UserInfo should be optional #4451 Retrieving the UserInfo should be optional

• Upgrade Nimbus dependencies #4547 Upgrade Nimbus dependencies

• ClientRegistration.clientAlias -> registrationId #4575 ClientRegistration.clientAlias -> registrationId

• AuthorizationCodeAuthenticationProcessingFilter -> favor query request matching #4576 AuthorizationCodeAuthenticationProcessingFilter -> favor query request matching

• Remove ProviderJwtDecoderRegistry #4581 Remove ProviderJwtDecoderRegistry

• ClientRegistration Support baseUrl in template #4589 ClientRegistration Support baseUrl in template

• Authorization Code Grant flow should support AccessToken only #4513 Authorization Code Grant flow should support AccessToken only

• Extract Validation/Authentication Logic in AuthorizationCodeAuthenticationProcessingFilter #4590 Extract Validation/Authentication Logic in AuthorizationCodeAuthenticationProcessingFilter

• Provide support for implicit grant #4500 Provide support for implicit grant

• LoginPage for OAuth2 #4570 LoginPage for OAuth2

• Externalize error codes from OAuth2Error #4606 Externalize error codes from OAuth2Error

• Remove Package Tangles #4614 Remove Package Tangles

• Consider renaming spring-security-jwt-jose #4595 Consider renaming spring-security-jwt-jose

• Getting NotSerializableExceptio when use spring-security-oauth2-client and spring-session together #4627 Getting NotSerializableExceptio when use spring-security-oauth2-client and spring-session together

• Ensure ID Token Validation #4440 Ensure ID Token Validation

• Verify UserInfoResponse sub claim with IDToken sub claim #4441 Verify UserInfoResponse sub claim with IDToken sub claim

• Consider adding nonce to OIDC Authentication Request #4442 Consider adding nonce to Authentication Request

• Provide oauth2Login sample for PWS #4406 Provide oauth2Login sample for PWS

• Add unit tests to oauth2-core #4298 Add unit tests to oauth2-core

• Add unit tests to oauth2-client #4299 Add unit tests to oauth2-client

• Create migration guide for OAuth client #4494 Create migration guide

[adolfoweloy]

@jgrandja, as per the Spring Security 5.0.0 M1 release blog post, the initial support would be primarily focused on the OAuth Client role.
I would like to know if there is any backlog data about OAuth Server roles (Authorization Server and Resource Server) regarding the first RELEASE version.

[jgrandja]

@adolfoweloy We are planning a 5.1 release not too far after the 5.0 release which will provide the Resource Server role functionality. The Authorization Server role functionality will follow that but will be a much bigger undertaking and therefore require more time and effort before that is released.

[adolfoweloy]

@jgrandja I have cloned spring-security-oauth (https://github.com/adolfoweloy/spring-security-oauth/issues) project and as I am exploring it I am creating some issues. These are some features that I would appreciate as user of this project and that I think would add value as well.

I would like to know if I could share these issues here or on spring-security-oauth (or none of these projects as well). And of course, if I could help with some contribution with code I would appreciate.

[jgrandja]

@adolfoweloy We are only focusing on bug fixes and minor improvements for the spring-security-oauth project and are limiting new features. If these issues can be merged without breaking any of the public API's that I can take a look at it.

However, our efforts are primarily focused on the new OAuth/OIDC support we're building into Spring Security 5. We always welcome contributions so please feel free especially with the new OAuth/OIDC support.

[duergner]

@jgrandja is there already a issue list / feature spec for the ResourceServer part you are planning on the 5.1 release? I would be really interested in having a look there and see whether this is something I (and maybe some colleagues) can contribute to.

[jgrandja]

@duergner I haven't started planning the Resource Server features for 5.1 as of yet. I'll definitely keep you in the loop when I start the planning which should be in about 3-4 weeks time. And that would be great if you can help contribute as well. Will ping you when I start logging issues. Thanks!