Remove deprecated implementations of OAuth2AccessTokenResponseClient

[sjohnr]

With the 6.4 release, a new set of OAuth2AccessTokenResponseClient implementations were introduced based on RestClient. These are:

• RestClientAuthorizationCodeTokenResponseClient
• RestClientRefreshTokenTokenResponseClient
• RestClientClientCredentialsTokenResponseClient
• RestClientJwtBearerTokenResponseClient
• RestClientTokenExchangeTokenResponseClient

These implementations are drop-in replacements for the RestOperations-based implementations which have been deprecated. These are:

• DefaultAuthorizationCodeTokenResponseClient
• DefaultRefreshTokenTokenResponseClient
• DefaultClientCredentialsTokenResponseClient
• DefaultPasswordTokenResponseClient
• DefaultJwtBearerTokenResponseClient
• DefaultTokenExchangeTokenResponseClient

Note that the DefaultPasswordTokenResponseClient does not have a replacement, as it is deprecated for removal for separate reasons (it should not be used according to RFC 9700).

The following checklist should be used to help validate removal:

• Remove Default* deprecated classes above and replace usages in the framework with the RestClient*
• Remove AbstractOAuth2AuthorizationGrantRequestEntityConverter and all deprecated subclasses and their usages
• ClientAuthenticationMethodValidatingRequestEntityConverter should also be removed
• All related tests; Note that tests in spring-security-config should remain mostly unchanged, though some may need to be updated to customize RestClient instead of RestTemplate

Related gh-15298

[MammosGeorgios]

Hi! Could I give this a try?
If i understand correctly, we want to replace any usages of Default* with RestClient*, like the following change

DefaultPasswordTokenResponseClient seems to be used only in Deprecated methods, so I assume that we leave those as they are.

Edit: If we are deleting all Default* classes, then the previous sentence makes as we want to remove those Deprecated methods.

[sjohnr]

Hi @MammosGeorgios. I'm mainly filing this issue now so we have it on the radar in time to begin the cycle on 7.0.x in May or June (whenever we switch over to 7.x development). So this issue isn't quite ready to be worked yet. If you want to check in a few weeks after the GA release of 6.5.0 that would be great!

Please note, I've edited the issue to be clearer about the fact that all associated deprecated classes should also be removed.

[MammosGeorgios]

Hello @sjohnr. I will check in periodically and keep an eye out for when you start the development of 7.x
Been meaning to give open source a proper try for some time now, and this seems like a relative simple issue to get started.

In the meantime, I will check out if there's something else I could perhaps try.

[sjohnr]

Sounds good @MammosGeorgios. You can also check status: ideal-for-contribution label and reach out on an issue you find there.

[gdufrene]

How to implements client_secret_jwt and private_key_jwt with those new classes ?
AbstractRestClientOAuth2AccessTokenResponseClient restrict usage of none, client_secret_basic or client_secret_post.
And it's not easy to override the check because requestEntityConverter is private and connot be set.

Documentation suggest to use DefaultClientCredentialsTokenResponseClient and override the request converter ...

[sjohnr]

@gdufrene thanks for pointing that out. I have neglected to update that section of the documentation. I have opened gh-16925 to address this.

In the meantime, see Customizing Request Headers and Customizing Request Parameters for the client credentials grant.

TL;DR You can use the same methods for customizing directly on RestClientClientCredentialsTokenResponseClient that you previously used for OAuth2ClientCredentialsGrantRequestEntityConverter.

[gdufrene]

@sjohnr thanks for your reply and documentation update ! It will help us :)