Remove deprecated implicit authorization grant type

Closes gh-11506

config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/ImplicitGrantConfigurer.java

@@ -1,105 +0,0 @@
-/*
- * Copyright 2002-2020 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.springframework.security.config.annotation.web.configurers.oauth2.client;
-
-import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
-import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
-import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
-import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
-import org.springframework.util.Assert;
-
-/**
- * An {@link AbstractHttpConfigurer} for the OAuth 2.0 Implicit Grant type.
- *
- * <h2>Security Filters</h2>
- *
- * The following {@code Filter}'s are populated:
- *
- * <ul>
- * <li>{@link OAuth2AuthorizationRequestRedirectFilter}</li>
- * </ul>
- *
- * <h2>Shared Objects Created</h2>
- *
- * The following shared objects are populated:
- *
- * <ul>
- * <li>{@link ClientRegistrationRepository} (required)</li>
- * </ul>
- *
- * <h2>Shared Objects Used</h2>
- *
- * The following shared objects are used:
- *
- * <ul>
- * <li>{@link ClientRegistrationRepository}</li>
- * </ul>
- *
- * @author Joe Grandja
- * @since 5.0
- * @see OAuth2AuthorizationRequestRedirectFilter
- * @see ClientRegistrationRepository
- * @deprecated It is not recommended to use the implicit flow due to the inherent risks of
- * returning access tokens in an HTTP redirect without any confirmation that it has been
- * received by the client. See reference
- * <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0 Implicit
- * Grant</a>.
- */
-@Deprecated
-public final class ImplicitGrantConfigurer<B extends HttpSecurityBuilder<B>>
-		extends AbstractHttpConfigurer<ImplicitGrantConfigurer<B>, B> {
-
-	private String authorizationRequestBaseUri;
-
-	/**
-	 * Sets the base {@code URI} used for authorization requests.
-	 * @param authorizationRequestBaseUri the base {@code URI} used for authorization
-	 * requests
-	 * @return the {@link ImplicitGrantConfigurer} for further configuration
-	 */
-	public ImplicitGrantConfigurer<B> authorizationRequestBaseUri(String authorizationRequestBaseUri) {
-		Assert.hasText(authorizationRequestBaseUri, "authorizationRequestBaseUri cannot be empty");
-		this.authorizationRequestBaseUri = authorizationRequestBaseUri;
-		return this;
-	}
-
-	/**
-	 * Sets the repository of client registrations.
-	 * @param clientRegistrationRepository the repository of client registrations
-	 * @return the {@link ImplicitGrantConfigurer} for further configuration
-	 */
-	public ImplicitGrantConfigurer<B> clientRegistrationRepository(
-			ClientRegistrationRepository clientRegistrationRepository) {
-		Assert.notNull(clientRegistrationRepository, "clientRegistrationRepository cannot be null");
-		this.getBuilder().setSharedObject(ClientRegistrationRepository.class, clientRegistrationRepository);
-		return this;
-	}
-
-	@Override
-	public void configure(B http) {
-		OAuth2AuthorizationRequestRedirectFilter authorizationRequestFilter = new OAuth2AuthorizationRequestRedirectFilter(
-				OAuth2ClientConfigurerUtils.getClientRegistrationRepository(this.getBuilder()),
-				this.getAuthorizationRequestBaseUri());
-		http.addFilter(this.postProcess(authorizationRequestFilter));
-	}
-
-	private String getAuthorizationRequestBaseUri() {
-		return (this.authorizationRequestBaseUri != null) ? this.authorizationRequestBaseUri
-				: OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI;
-	}
-
-}

config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc

@@ -569,8 +569,8 @@ client-registration.attlist &=
 	## The method used to authenticate the client with the provider. The supported values are client_secret_basic, client_secret_post and none (public clients).
 	attribute client-authentication-method {"client_secret_basic" | "basic" | "client_secret_post" | "post" | "none"}?
 client-registration.attlist &=
-	## The OAuth 2.0 Authorization Framework defines four Authorization Grant types. The supported values are authorization_code, client_credentials, password and implicit.
+	## The OAuth 2.0 Authorization Framework defines four Authorization Grant types. The supported values are authorization_code, client_credentials and password.
-	attribute authorization-grant-type {"authorization_code" | "client_credentials" | "password" | "implicit"}?
+	attribute authorization-grant-type {"authorization_code" | "client_credentials" | "password"}?
 client-registration.attlist &=
 	## The client’s registered redirect URI that the Authorization Server redirects the end-user’s user-agent to after the end-user has authenticated and authorized access to the client.
 	attribute redirect-uri {xsd:token}?

config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd

@@ -1792,7 +1792,7 @@
       <xs:attribute name="authorization-grant-type">
          <xs:annotation>
             <xs:documentation>The OAuth 2.0 Authorization Framework defines four Authorization Grant types. The
-                supported values are authorization_code, client_credentials, password and implicit.
+                supported values are authorization_code, client_credentials and password.
                 </xs:documentation>
          </xs:annotation>
          <xs:simpleType>
@@ -1800,7 +1800,6 @@
                <xs:enumeration value="authorization_code"/>
                <xs:enumeration value="client_credentials"/>
                <xs:enumeration value="password"/>
-               <xs:enumeration value="implicit"/>
             </xs:restriction>
          </xs:simpleType>
       </xs:attribute>

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/OAuth2AuthorizationRequestDeserializer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -72,9 +72,6 @@ final class OAuth2AuthorizationRequestDeserializer extends JsonDeserializer<OAut
 		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationGrantType)) {
 			return OAuth2AuthorizationRequest.authorizationCode();
 		}
-		if (AuthorizationGrantType.IMPLICIT.equals(authorizationGrantType)) {
-			return OAuth2AuthorizationRequest.implicit();
-		}
 		throw new JsonParseException(parser, "Invalid authorizationGrantType");
 	}
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/jackson2/StdConverters.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -74,9 +74,6 @@ abstract class StdConverters {
 			if (AuthorizationGrantType.AUTHORIZATION_CODE.getValue().equalsIgnoreCase(value)) {
 				return AuthorizationGrantType.AUTHORIZATION_CODE;
 			}
-			if (AuthorizationGrantType.IMPLICIT.getValue().equalsIgnoreCase(value)) {
-				return AuthorizationGrantType.IMPLICIT;
-			}
 			if (AuthorizationGrantType.CLIENT_CREDENTIALS.getValue().equalsIgnoreCase(value)) {
 				return AuthorizationGrantType.CLIENT_CREDENTIALS;
 			}

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/registration/ClientRegistration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -616,9 +616,6 @@ public final class ClientRegistration implements Serializable {
 			else if (AuthorizationGrantType.PASSWORD.equals(this.authorizationGrantType)) {
 				this.validatePasswordGrantType();
 			}
-			else if (AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType)) {
-				this.validateImplicitGrantType();
-			}
 			else if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(this.authorizationGrantType)) {
 				this.validateAuthorizationCodeGrantType();
 			}
@@ -673,15 +670,6 @@ public final class ClientRegistration implements Serializable {
 			Assert.hasText(this.tokenUri, "tokenUri cannot be empty");
 		}
 
-		private void validateImplicitGrantType() {
-			Assert.isTrue(AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType),
-					() -> "authorizationGrantType must be " + AuthorizationGrantType.IMPLICIT.getValue());
-			Assert.hasText(this.registrationId, "registrationId cannot be empty");
-			Assert.hasText(this.clientId, "clientId cannot be empty");
-			Assert.hasText(this.redirectUri, "redirectUri cannot be empty");
-			Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty");
-		}
-
 		private void validateClientCredentialsGrantType() {
 			Assert.isTrue(AuthorizationGrantType.CLIENT_CREDENTIALS.equals(this.authorizationGrantType),
 					() -> "authorizationGrantType must be " + AuthorizationGrantType.CLIENT_CREDENTIALS.getValue());

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/DefaultOAuth2AuthorizationRequestResolver.java

@@ -188,9 +188,6 @@ public final class DefaultOAuth2AuthorizationRequestResolver implements OAuth2Au
 			}
 			return builder;
 		}
-		if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
-			return OAuth2AuthorizationRequest.implicit();
-		}
 		throw new IllegalArgumentException(
 				"Invalid Authorization Grant Type (" + clientRegistration.getAuthorizationGrantType().getValue()
 						+ ") for Client Registration with Id: " + clientRegistration.getRegistrationId());

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -39,9 +39,8 @@ import org.springframework.util.Assert;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 /**
- * This {@code Filter} initiates the authorization code grant or implicit grant flow by
+ * This {@code Filter} initiates the authorization code grant flow by redirecting the
- * redirecting the End-User's user-agent to the Authorization Server's Authorization
+ * End-User's user-agent to the Authorization Server's Authorization Endpoint.
- * Endpoint.
  *
  * <p>
  * It builds the OAuth 2.0 Authorization Request, which is used as the redirect
@@ -80,11 +79,6 @@ import org.springframework.web.filter.OncePerRequestFilter;
  * @see <a target="_blank" href=
  * "https://tools.ietf.org/html/rfc6749#section-4.1.1">Section 4.1.1 Authorization Request
  * (Authorization Code)</a>
- * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.2">Section
- * 4.2 Implicit Grant</a>
- * @see <a target="_blank" href=
- * "https://tools.ietf.org/html/rfc6749#section-4.2.1">Section 4.2.1 Authorization Request
- * (Implicit)</a>
  */
 public class OAuth2AuthorizationRequestRedirectFilter extends OncePerRequestFilter {
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/DefaultServerOAuth2AuthorizationRequestResolver.java

@@ -201,9 +201,6 @@ public class DefaultServerOAuth2AuthorizationRequestResolver implements ServerOA
 			}
 			return builder;
 		}
-		if (AuthorizationGrantType.IMPLICIT.equals(clientRegistration.getAuthorizationGrantType())) {
-			return OAuth2AuthorizationRequest.implicit();
-		}
 		throw new IllegalArgumentException(
 				"Invalid Authorization Grant Type (" + clientRegistration.getAuthorizationGrantType().getValue()
 						+ ") for Client Registration with Id: " + clientRegistration.getRegistrationId());

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/web/server/OAuth2AuthorizationRequestRedirectWebFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,9 +38,8 @@ import org.springframework.web.server.WebFilterChain;
 import org.springframework.web.util.UriComponentsBuilder;
 
 /**
- * This {@code WebFilter} initiates the authorization code grant or implicit grant flow by
+ * This {@code WebFilter} initiates the authorization code grant flow by redirecting the
- * redirecting the End-User's user-agent to the Authorization Server's Authorization
+ * End-User's user-agent to the Authorization Server's Authorization Endpoint.
- * Endpoint.
  *
  * <p>
  * It builds the OAuth 2.0 Authorization Request, which is used as the redirect
@@ -67,11 +66,6 @@ import org.springframework.web.util.UriComponentsBuilder;
  * @see <a target="_blank" href=
  * "https://tools.ietf.org/html/rfc6749#section-4.1.1">Section 4.1.1 Authorization Request
  * (Authorization Code)</a>
- * @see <a target="_blank" href="https://tools.ietf.org/html/rfc6749#section-4.2">Section
- * 4.2 Implicit Grant</a>
- * @see <a target="_blank" href=
- * "https://tools.ietf.org/html/rfc6749#section-4.2.1">Section 4.2.1 Authorization Request
- * (Implicit)</a>
  */
 public class OAuth2AuthorizationRequestRedirectWebFilter implements WebFilter {
 

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/endpoint/OAuth2ClientCredentialsGrantRequestTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -54,22 +54,6 @@ public class OAuth2ClientCredentialsGrantRequestTests {
 		assertThatIllegalArgumentException().isThrownBy(() -> new OAuth2ClientCredentialsGrantRequest(null));
 	}
 
-	@Test
-	public void constructorWhenClientRegistrationInvalidGrantTypeThenThrowIllegalArgumentException() {
-		// @formatter:off
-		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("registration-1")
-				.clientId("client-1")
-				.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
-				.redirectUri("https://localhost:8080/redirect-uri")
-				.authorizationUri("https://provider.com/oauth2/auth")
-				.clientName("Client 1")
-				.build();
-		// @formatter:on
-		assertThatIllegalArgumentException()
-				.isThrownBy(() -> new OAuth2ClientCredentialsGrantRequest(clientRegistration)).withMessage(
-						"clientRegistration.authorizationGrantType must be AuthorizationGrantType.CLIENT_CREDENTIALS");
-	}
-
 	@Test
 	public void constructorWhenValidParametersProvidedThenCreated() {
 		OAuth2ClientCredentialsGrantRequest clientCredentialsGrantRequest = new OAuth2ClientCredentialsGrantRequest(

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/oidc/userinfo/OidcUserRequestUtilsTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -63,7 +63,7 @@ public class OidcUserRequestUtilsTests {
 
 	@Test
 	public void shouldRetrieveUserInfoWhenNotAuthorizationCodeThenFalse() {
-		this.registration.authorizationGrantType(AuthorizationGrantType.IMPLICIT);
+		this.registration.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS);
 		assertThat(OidcUserRequestUtils.shouldRetrieveUserInfo(userRequest())).isFalse();
 	}
 

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/registration/ClientRegistrationTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -431,129 +431,6 @@ public class ClientRegistrationTests {
 		assertThat(clientRegistration.getProviderDetails().getConfigurationMetadata()).isEmpty();
 	}
 
-	@Test
-	public void buildWhenImplicitGrantAllAttributesProvidedThenAllAttributesAreSet() {
-		// @formatter:off
-		ClientRegistration registration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
-				.clientId(CLIENT_ID)
-				.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
-				.redirectUri(REDIRECT_URI)
-				.scope(SCOPES.toArray(new String[0]))
-				.authorizationUri(AUTHORIZATION_URI)
-				.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
-				.clientName(CLIENT_NAME)
-				.build();
-		// @formatter:on
-		assertThat(registration.getRegistrationId()).isEqualTo(REGISTRATION_ID);
-		assertThat(registration.getClientId()).isEqualTo(CLIENT_ID);
-		assertThat(registration.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.IMPLICIT);
-		assertThat(registration.getRedirectUri()).isEqualTo(REDIRECT_URI);
-		assertThat(registration.getScopes()).isEqualTo(SCOPES);
-		assertThat(registration.getProviderDetails().getAuthorizationUri()).isEqualTo(AUTHORIZATION_URI);
-		assertThat(registration.getProviderDetails().getUserInfoEndpoint().getAuthenticationMethod())
-				.isEqualTo(AuthenticationMethod.FORM);
-		assertThat(registration.getClientName()).isEqualTo(CLIENT_NAME);
-	}
-
-	@Test
-	public void buildWhenImplicitGrantRegistrationIdIsNullThenThrowIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() ->
-		// @formatter:off
-			ClientRegistration.withRegistrationId(null)
-					.clientId(CLIENT_ID)
-					.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
-					.redirectUri(REDIRECT_URI)
-					.scope(SCOPES.toArray(new String[0]))
-					.authorizationUri(AUTHORIZATION_URI)
-					.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
-					.clientName(CLIENT_NAME)
-					.build()
-		// @formatter:on
-		);
-	}
-
-	@Test
-	public void buildWhenImplicitGrantClientIdIsNullThenThrowIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() ->
-		// @formatter:off
-			ClientRegistration.withRegistrationId(REGISTRATION_ID)
-					.clientId(null)
-					.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
-					.redirectUri(REDIRECT_URI)
-					.scope(SCOPES.toArray(new String[0]))
-					.authorizationUri(AUTHORIZATION_URI)
-					.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
-					.clientName(CLIENT_NAME)
-					.build()
-		// @formatter:on
-		);
-	}
-
-	@Test
-	public void buildWhenImplicitGrantRedirectUriIsNullThenThrowIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() ->
-		// @formatter:off
-			ClientRegistration.withRegistrationId(REGISTRATION_ID)
-					.clientId(CLIENT_ID)
-					.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
-					.redirectUri(null)
-					.scope(SCOPES.toArray(new String[0]))
-					.authorizationUri(AUTHORIZATION_URI)
-					.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
-					.clientName(CLIENT_NAME)
-					.build()
-		// @formatter:on
-		);
-	}
-
-	// gh-5494
-	@Test
-	public void buildWhenImplicitGrantScopeIsNullThenScopeNotRequired() {
-		// @formatter:off
-		ClientRegistration.withRegistrationId(REGISTRATION_ID)
-				.clientId(CLIENT_ID)
-				.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
-				.redirectUri(REDIRECT_URI)
-				.scope((String[]) null)
-				.authorizationUri(AUTHORIZATION_URI)
-				.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
-				.clientName(CLIENT_NAME)
-				.build();
-		// @formatter:on
-	}
-
-	@Test
-	public void buildWhenImplicitGrantAuthorizationUriIsNullThenThrowIllegalArgumentException() {
-		assertThatIllegalArgumentException().isThrownBy(() ->
-		// @formatter:off
-			ClientRegistration.withRegistrationId(REGISTRATION_ID)
-					.clientId(CLIENT_ID)
-					.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
-					.redirectUri(REDIRECT_URI)
-					.scope(SCOPES.toArray(new String[0]))
-					.authorizationUri(null)
-					.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
-					.clientName(CLIENT_NAME)
-					.build()
-		// @formatter:on
-		);
-	}
-
-	@Test
-	public void buildWhenImplicitGrantClientNameNotProvidedThenDefaultToRegistrationId() {
-		// @formatter:off
-		ClientRegistration clientRegistration = ClientRegistration.withRegistrationId(REGISTRATION_ID)
-				.clientId(CLIENT_ID)
-				.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
-				.redirectUri(REDIRECT_URI)
-				.scope(SCOPES.toArray(new String[0]))
-				.authorizationUri(AUTHORIZATION_URI)
-				.userInfoAuthenticationMethod(AuthenticationMethod.FORM)
-				.build();
-		// @formatter:on
-		assertThat(clientRegistration.getClientName()).isEqualTo(clientRegistration.getRegistrationId());
-	}
-
 	@Test
 	public void buildWhenOverrideRegistrationIdThenOverridden() {
 		String overriddenId = "override";

oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/web/OAuth2AuthorizationRequestRedirectFilterTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,7 +37,6 @@ import org.springframework.security.oauth2.client.registration.ClientRegistratio
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
-import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
 import org.springframework.security.web.savedrequest.RequestCache;
 import org.springframework.util.ClassUtils;
@@ -49,7 +48,6 @@ import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.BDDMockito.willThrow;
 import static org.mockito.Mockito.mock;
-import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.verifyZeroInteractions;
 
@@ -64,8 +62,6 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 
 	private ClientRegistration registration2;
 
-	private ClientRegistration registration3;
-
 	private ClientRegistrationRepository clientRegistrationRepository;
 
 	private OAuth2AuthorizationRequestRedirectFilter filter;
@@ -76,15 +72,8 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 	public void setUp() {
 		this.registration1 = TestClientRegistrations.clientRegistration().build();
 		this.registration2 = TestClientRegistrations.clientRegistration2().build();
-		// @formatter:off
-		this.registration3 = TestClientRegistrations.clientRegistration()
-				.registrationId("registration-3")
-				.authorizationGrantType(AuthorizationGrantType.IMPLICIT)
-				.redirectUri("{baseUrl}/authorize/oauth2/implicit/{registrationId}")
-				.build();
-		// @formatter:on
 		this.clientRegistrationRepository = new InMemoryClientRegistrationRepository(this.registration1,
-				this.registration2, this.registration3);
+				this.registration2);
 		this.filter = new OAuth2AuthorizationRequestRedirectFilter(this.clientRegistrationRepository);
 		this.requestCache = mock(RequestCache.class);
 		this.filter.setRequestCache(this.requestCache);
@@ -177,38 +166,6 @@ public class OAuth2AuthorizationRequestRedirectFilterTests {
 				any(HttpServletRequest.class), any(HttpServletResponse.class));
 	}
 
-	@Test
-	public void doFilterWhenAuthorizationRequestImplicitGrantThenRedirectForAuthorization() throws Exception {
-		String requestUri = OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI + "/"
-				+ this.registration3.getRegistrationId();
-		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
-		request.setServletPath(requestUri);
-		MockHttpServletResponse response = new MockHttpServletResponse();
-		FilterChain filterChain = mock(FilterChain.class);
-		this.filter.doFilter(request, response, filterChain);
-		verifyZeroInteractions(filterChain);
-		assertThat(response.getRedirectedUrl()).matches("https://example.com/login/oauth/authorize\\?"
-				+ "response_type=token&client_id=client-id&" + "scope=read:user&state=.{15,}&"
-				+ "redirect_uri=http://localhost/authorize/oauth2/implicit/registration-3");
-	}
-
-	@Test
-	public void doFilterWhenAuthorizationRequestImplicitGrantThenAuthorizationRequestNotSaved() throws Exception {
-		String requestUri = OAuth2AuthorizationRequestRedirectFilter.DEFAULT_AUTHORIZATION_REQUEST_BASE_URI + "/"
-				+ this.registration3.getRegistrationId();
-		MockHttpServletRequest request = new MockHttpServletRequest("GET", requestUri);
-		request.setServletPath(requestUri);
-		MockHttpServletResponse response = new MockHttpServletResponse();
-		FilterChain filterChain = mock(FilterChain.class);
-		AuthorizationRequestRepository<OAuth2AuthorizationRequest> authorizationRequestRepository = mock(
-				AuthorizationRequestRepository.class);
-		this.filter.setAuthorizationRequestRepository(authorizationRequestRepository);
-		this.filter.doFilter(request, response, filterChain);
-		verifyZeroInteractions(filterChain);
-		verify(authorizationRequestRepository, times(0)).saveAuthorizationRequest(any(OAuth2AuthorizationRequest.class),
-				any(HttpServletRequest.class), any(HttpServletResponse.class));
-	}
-
 	@Test
 	public void doFilterWhenCustomAuthorizationRequestBaseUriThenRedirectForAuthorization() throws Exception {
 		String authorizationRequestBaseUri = "/custom/authorization";

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -28,8 +28,8 @@ import org.springframework.util.Assert;
  *
  * <p>
  * The OAuth 2.0 Authorization Framework defines four standard grant types: authorization
- * code, implicit, resource owner password credentials, and client credentials. It also
+ * code, resource owner password credentials, and client credentials. It also provides an
- * provides an extensibility mechanism for defining additional grant types.
+ * extensibility mechanism for defining additional grant types.
  *
  * @author Joe Grandja
  * @since 5.0
@@ -42,17 +42,6 @@ public final class AuthorizationGrantType implements Serializable {
 
 	public static final AuthorizationGrantType AUTHORIZATION_CODE = new AuthorizationGrantType("authorization_code");
 
-	/**
-	 * It is not recommended to use the implicit flow due to the inherent risks of
-	 * returning access tokens in an HTTP redirect without any confirmation that it has
-	 * been received by the client.
-	 *
-	 * @see <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0
-	 * Implicit Grant</a>
-	 */
-	@Deprecated
-	public static final AuthorizationGrantType IMPLICIT = new AuthorizationGrantType("implicit");
-
 	public static final AuthorizationGrantType REFRESH_TOKEN = new AuthorizationGrantType("refresh_token");
 
 	public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials");

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -41,7 +41,7 @@ import org.springframework.web.util.UriUtils;
 
 /**
  * A representation of an OAuth 2.0 Authorization Request for the authorization code grant
- * type or implicit grant type.
+ * type.
  *
  * @author Joe Grandja
  * @since 5.0
@@ -50,9 +50,6 @@ import org.springframework.web.util.UriUtils;
  * @see <a target="_blank" href=
  * "https://tools.ietf.org/html/rfc6749#section-4.1.1">Section 4.1.1 Authorization Code
  * Grant Request</a>
- * @see <a target="_blank" href=
- * "https://tools.ietf.org/html/rfc6749#section-4.2.1">Section 4.2.1 Implicit Grant
- * Request</a>
  */
 public final class OAuth2AuthorizationRequest implements Serializable {
 
@@ -191,20 +188,6 @@ public final class OAuth2AuthorizationRequest implements Serializable {
 		return new Builder(AuthorizationGrantType.AUTHORIZATION_CODE);
 	}
 
-	/**
-	 * Returns a new {@link Builder}, initialized with the implicit grant type.
-	 * @return the {@link Builder}
-	 * @deprecated It is not recommended to use the implicit flow due to the inherent
-	 * risks of returning access tokens in an HTTP redirect without any confirmation that
-	 * it has been received by the client.
-	 * @see <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0
-	 * Implicit Grant</a>
-	 */
-	@Deprecated
-	public static Builder implicit() {
-		return new Builder(AuthorizationGrantType.IMPLICIT);
-	}
-
 	/**
 	 * Returns a new {@link Builder}, initialized with the values from the provided
 	 * {@code authorizationRequest}.
@@ -265,9 +248,6 @@ public final class OAuth2AuthorizationRequest implements Serializable {
 			if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationGrantType)) {
 				this.responseType = OAuth2AuthorizationResponseType.CODE;
 			}
-			else if (AuthorizationGrantType.IMPLICIT.equals(authorizationGrantType)) {
-				this.responseType = OAuth2AuthorizationResponseType.TOKEN;
-			}
 			this.uriBuilderFactory = new DefaultUriBuilderFactory();
 			// The supplied authorizationUri may contain encoded parameters
 			// so disable encoding in UriBuilder and instead apply encoding within this
@@ -440,9 +420,6 @@ public final class OAuth2AuthorizationRequest implements Serializable {
 		public OAuth2AuthorizationRequest build() {
 			Assert.hasText(this.authorizationUri, "authorizationUri cannot be empty");
 			Assert.hasText(this.clientId, "clientId cannot be empty");
-			if (AuthorizationGrantType.IMPLICIT.equals(this.authorizationGrantType)) {
-				Assert.hasText(this.redirectUri, "redirectUri cannot be empty");
-			}
 			OAuth2AuthorizationRequest authorizationRequest = new OAuth2AuthorizationRequest();
 			authorizationRequest.authorizationUri = this.authorizationUri;
 			authorizationRequest.authorizationGrantType = this.authorizationGrantType;

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseType.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -23,14 +23,12 @@ import org.springframework.util.Assert;
 
 /**
  * The {@code response_type} parameter is consumed by the authorization endpoint which is
- * used by the authorization code grant type and implicit grant type. The client sets the
+ * used by the authorization code grant type. The client sets the {@code response_type}
- * {@code response_type} parameter with the desired grant type before initiating the
+ * parameter with the desired grant type before initiating the authorization request.
- * authorization request.
  *
  * <p>
- * The {@code response_type} parameter value may be one of &quot;code&quot; for requesting
+ * The {@code response_type} parameter value may be &quot;code&quot; for requesting an
- * an authorization code or &quot;token&quot; for requesting an access token (implicit
+ * authorization code.
- * grant).
  *
  * @author Joe Grandja
  * @since 5.0
@@ -43,17 +41,6 @@ public final class OAuth2AuthorizationResponseType implements Serializable {
 
 	public static final OAuth2AuthorizationResponseType CODE = new OAuth2AuthorizationResponseType("code");
 
-	/**
-	 * It is not recommended to use the implicit flow due to the inherent risks of
-	 * returning access tokens in an HTTP redirect without any confirmation that it has
-	 * been received by the client.
-	 *
-	 * @see <a target="_blank" href="https://oauth.net/2/grant-types/implicit/">OAuth 2.0
-	 * Implicit Grant</a>
-	 */
-	@Deprecated
-	public static final OAuth2AuthorizationResponseType TOKEN = new OAuth2AuthorizationResponseType("token");
-
 	private final String value;
 
 	public OAuth2AuthorizationResponseType(String value) {

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/AuthorizationGrantTypeTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,11 +38,6 @@ public class AuthorizationGrantTypeTests {
 		assertThat(AuthorizationGrantType.AUTHORIZATION_CODE.getValue()).isEqualTo("authorization_code");
 	}
 
-	@Test
-	public void getValueWhenImplicitGrantTypeThenReturnImplicit() {
-		assertThat(AuthorizationGrantType.IMPLICIT.getValue()).isEqualTo("implicit");
-	}
-
 	@Test
 	public void getValueWhenRefreshTokenGrantTypeThenReturnRefreshToken() {
 		assertThat(AuthorizationGrantType.REFRESH_TOKEN.getValue()).isEqualTo("refresh_token");

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationRequestTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -79,20 +79,6 @@ public class OAuth2AuthorizationRequestTests {
 		// @formatter:on
 	}
 
-	@Test
-	public void buildWhenRedirectUriIsNullForImplicitThenThrowIllegalArgumentException() {
-		// @formatter:off
-		assertThatIllegalArgumentException()
-				.isThrownBy(() -> OAuth2AuthorizationRequest.implicit()
-						.authorizationUri(AUTHORIZATION_URI)
-						.clientId(CLIENT_ID)
-						.redirectUri(null)
-						.scopes(SCOPES)
-						.state(STATE).build()
-				);
-		// @formatter:on
-	}
-
 	@Test
 	public void buildWhenRedirectUriIsNullForAuthorizationCodeThenDoesNotThrowAnyException() {
 		// @formatter:off
@@ -146,21 +132,6 @@ public class OAuth2AuthorizationRequestTests {
 		// @formatter:on
 	}
 
-	@Test
-	public void buildWhenImplicitThenGrantTypeResponseTypeIsSet() {
-		// @formatter:off
-		OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.implicit()
-				.authorizationUri(AUTHORIZATION_URI)
-				.clientId(CLIENT_ID)
-				.redirectUri(REDIRECT_URI)
-				.scopes(SCOPES)
-				.state(STATE)
-				.build();
-		// @formatter:on
-		assertThat(authorizationRequest.getGrantType()).isEqualTo(AuthorizationGrantType.IMPLICIT);
-		assertThat(authorizationRequest.getResponseType()).isEqualTo(OAuth2AuthorizationResponseType.TOKEN);
-	}
-
 	@Test
 	public void buildWhenAuthorizationCodeThenGrantTypeResponseTypeIsSet() {
 		// @formatter:off
@@ -208,22 +179,6 @@ public class OAuth2AuthorizationRequestTests {
 		assertThat(authorizationRequest.getAuthorizationRequestUri()).isEqualTo(AUTHORIZATION_URI);
 	}
 
-	@Test
-	public void buildWhenScopesMultiThenSeparatedByEncodedSpace() {
-		// @formatter:off
-		OAuth2AuthorizationRequest authorizationRequest = OAuth2AuthorizationRequest.implicit()
-				.authorizationUri(AUTHORIZATION_URI)
-				.clientId(CLIENT_ID)
-				.redirectUri(REDIRECT_URI)
-				.scopes(SCOPES)
-				.state(STATE)
-				.build();
-		// @formatter:on
-		assertThat(authorizationRequest.getAuthorizationRequestUri())
-				.isEqualTo("https://provider.com/oauth2/authorize?" + "response_type=token&client_id=client-id&"
-						+ "scope=scope1%20scope2&state=state&" + "redirect_uri=https://example.com");
-	}
-
 	@Test
 	public void buildWhenAuthorizationRequestUriSetThenOverridesDefault() {
 		// @formatter:off

oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/endpoint/OAuth2AuthorizationResponseTypeTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2017 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,9 +32,4 @@ public class OAuth2AuthorizationResponseTypeTests {
 		assertThat(OAuth2AuthorizationResponseType.CODE.getValue()).isEqualTo("code");
 	}
 
-	@Test
-	public void getValueWhenResponseTypeTokenThenReturnToken() {
-		assertThat(OAuth2AuthorizationResponseType.TOKEN.getValue()).isEqualTo("token");
-	}
-
 }