Presently, there isn't a built in mechanism to upgrade the encoding on an OAuth2 Client outside of simply outright changing the credential. I think it would be a tremendous addition to allow the PasswordEncoder.upgradleEncoding(String) method to be called upon successfully authenticating the OAuth2 client. This would then enable usage of a DelegatingPasswordEncoder to be able to transition the encoding of secrets from one encoder to another.
Initially looking, this seems like it would happen here:
|
if (!this.passwordEncoder.matches(clientSecret, registeredClient.getClientSecret())) { |
Maybe something like:
if (!this.passwordEncoder.matches(clientSecret, registeredClient.getClientSecret())) {
throwInvalidClient(OAuth2ParameterNames.CLIENT_SECRET);
} else {
RegisteredClient updated = RegisteredClient.from(registeredClient)
.secret(this.passwordEncoder.upgradeEncoding(clientSecret))
.build();
this.registeredClientRepository.save(updated);
}
Presently, there isn't a built in mechanism to upgrade the encoding on an OAuth2 Client outside of simply outright changing the credential. I think it would be a tremendous addition to allow the
PasswordEncoder.upgradleEncoding(String)method to be called upon successfully authenticating the OAuth2 client. This would then enable usage of aDelegatingPasswordEncoderto be able to transition the encoding of secrets from one encoder to another.Initially looking, this seems like it would happen here:
spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/ClientSecretAuthenticationProvider.java
Line 116 in eae6630
Maybe something like: