Skip to content

Add documentation for custom OAuth2 client_credentials request fields #17235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Add documentation for custom OAuth2 client_credentials request fields #17235

wants to merge 1 commit into from

Conversation

pat-mccusker
Copy link
Contributor

Closes gh-16605

While the process for adding these custom indicators is in retrospect pretty straightforward, it took me a bit of time to conceptually put it all together and so I thought it wouldn't hurt to add some documentation for it.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 11, 2025
@jgrandja
Copy link
Contributor

Thanks for the PR @pat-mccusker. However, it doesn't make sense to add this documentation and code sample for Resource Indicators for OAuth 2.0 given that the feature is not even implemented.

Feel free to add the full code sample to gh-16605. I'll leave the issue open for now but will close this PR.

As an FYI, I don't see Resource Indicators for OAuth 2.0 being supported anytime soon as it doesn't appear there is much demand for it and we have a number of higher priority items on our list for the major release of Spring Security 7.0 and Spring Authorization Server 2.0.

@jgrandja jgrandja closed this Jun 12, 2025
@jgrandja jgrandja self-assigned this Jun 12, 2025
@jgrandja jgrandja added status: declined A suggestion or change that we don't feel we should currently apply in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Jun 12, 2025
@pat-mccusker
Copy link
Contributor Author

@jgrandja When you say the feature is not implemented, are you referring to specifically on the resource server side? I ask because its not being supported on the client side was my reasoning for adding the example.

I still think it's a valid use case as some may want to interact with some non-spring resource server that does act on the resource or audience request parameter and it might not be immediately obvious how this could be done with minimal additions to the existing client configuration.

@jgrandja
Copy link
Contributor

@pat-mccusker

When you say the feature is not implemented, are you referring to specifically on the resource server side?

I'm referring to both resource server AND client side, as all OAuth2 flows involve at least the 2 parties and also the AS in other flows.

Either way, it's not supported on client and resource server side in Spring Security.

Furthermore, it's already documented on how to customize the authorization request or customize token request, which generally shows how one would add a custom parameter (e.g. resource or audience), and therefore I feel the PR adds more specific documentation but at the same time is a duplicate of what we already have.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jgrandja jgrandja

Labels
in: oauth2 An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose) status: declined A suggestion or change that we don't feel we should currently apply type: enhancement A general enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow setting Oauth 2.0 Resource Indicators in Oauth client calls
3 participants
@pat-mccusker @jgrandja @spring-projects-issues