vor 2 Jahren · 4e63c3b6b6
--- a/README.adoc
+++ b/README.adoc
@@ -4,7 +4,7 @@ image:https://github.com/spring-projects/spring-authorization-server/workflows/C
 
				 
			
 
				 = Spring Authorization Server
			
 
				 
			
 
				-The Spring Authorization Server project, led by the https://spring.io/projects/spring-security/[Spring Security] team, is focused on delivering https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-06#section-1.1[OAuth 2.1 Authorization Server] support to the Spring community.
			
 
				+The Spring Authorization Server project, led by the https://spring.io/projects/spring-security/[Spring Security] team, is focused on delivering https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-1.1[OAuth 2.1 Authorization Server] support to the Spring community.
			
 
				 
			
 
				 This project replaces the Authorization Server support provided by https://spring.io/projects/spring-security-oauth/[Spring Security OAuth].
			
 
				 
			
@@ -19,7 +19,7 @@ The feature list can be viewed in the https://docs.spring.io/spring-authorizatio
 
				 The Spring Authorization Server project provides software support and is documented in its link:SUPPORT_POLICY.adoc[support policy].
			
 
				 
			
 
				 == Getting Started
			
 
				-The first place to start is to read the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-01[OAuth 2.1 Authorization Framework] to gain an in-depth understanding on how to build an Authorization Server.
			
 
				+The first place to start is to read the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[OAuth 2.1 Authorization Framework] to gain an in-depth understanding on how to build an Authorization Server.
			
 
				 It is a critically important first step as the implementation must conform to the specification defined in the OAuth 2.1 Authorization Framework and the https://github.com/spring-projects/spring-authorization-server/wiki/OAuth-2.0-Specifications[related specifications].
			
 
				 
			
 
				 The second place to start is to become very familiar with the codebase in the following Spring Security modules:
			
--- a/docs/src/docs/asciidoc/overview.adoc
+++ b/docs/src/docs/asciidoc/overview.adoc
@@ -6,7 +6,7 @@ This site contains reference documentation and how-to guides for Spring Authoriz
 
				 [[introducing-spring-authorization-server]]
			
 
				 == Introducing Spring Authorization Server
			
 
				 
			
 
				-Spring Authorization Server is a framework that provides implementations of the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05[OAuth 2.1] and https://openid.net/specs/openid-connect-core-1_0.html[OpenID Connect 1.0] specifications and other related specifications.
			
 
				+Spring Authorization Server is a framework that provides implementations of the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[OAuth 2.1] and https://openid.net/specs/openid-connect-core-1_0.html[OpenID Connect 1.0] specifications and other related specifications.
			
 
				 It is built on top of https://spring.io/projects/spring-security[Spring Security] to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.
			
 
				 
			
 
				 [[feature-list]]
			
@@ -25,10 +25,10 @@ Spring Authorization Server supports the following features:
 
				 * Client Credentials
			
 
				 * Refresh Token
			
 
				 |
			
 
				-* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05[draft])
			
 
				-** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-4.1[Authorization Code Grant]
			
 
				-** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-4.2[Client Credentials Grant]
			
 
				-** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-4.3[Refresh Token Grant]
			
 
				+* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[draft])
			
 
				+** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.1[Authorization Code Grant]
			
 
				+** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.2[Client Credentials Grant]
			
 
				+** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.3[Refresh Token Grant]
			
 
				 * OpenID Connect Core 1.0 (https://openid.net/specs/openid-connect-core-1_0.html[spec])
			
 
				 ** https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow]
			
 
				 
			
@@ -48,7 +48,7 @@ Spring Authorization Server supports the following features:
 
				 * `private_key_jwt`
			
 
				 * `none` (public clients)
			
 
				 |
			
 
				-* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-2.4[Client Authentication])
			
 
				+* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-2.4[Client Authentication])
			
 
				 * JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication (https://tools.ietf.org/html/rfc7523[RFC 7523])
			
 
				 * Proof Key for Code Exchange by OAuth Public Clients (PKCE) (https://tools.ietf.org/html/rfc7636[RFC 7636])
			
 
				 
			
@@ -64,9 +64,9 @@ Spring Authorization Server supports the following features:
 
				 * xref:protocol-endpoints.adoc#oidc-user-info-endpoint[OpenID Connect 1.0 UserInfo Endpoint]
			
 
				 * xref:protocol-endpoints.adoc#oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration Endpoint]
			
 
				 |
			
 
				-* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05[draft])
			
 
				-** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-3.1[Authorization Endpoint]
			
 
				-** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05#section-3.2[Token Endpoint]
			
 
				+* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[draft])
			
 
				+** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-3.1[Authorization Endpoint]
			
 
				+** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-3.2[Token Endpoint]
			
 
				 * OAuth 2.0 Token Introspection (https://tools.ietf.org/html/rfc7662[RFC 7662])
			
 
				 * OAuth 2.0 Token Revocation (https://tools.ietf.org/html/rfc7009[RFC 7009])
			
 
				 * OAuth 2.0 Authorization Server Metadata (https://tools.ietf.org/html/rfc8414[RFC 8414])
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationValidator.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationValidator.java
@@ -102,7 +102,7 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationValidator impleme
 
				 
			
 
				 			String requestedRedirectHost = requestedRedirect.getHost();
			
 
				 			if (requestedRedirectHost == null || requestedRedirectHost.equals("localhost")) {
			
 
				-				// As per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-01#section-9.7.1
			
 
				+				// As per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-9.7.1
			
 
				 				// While redirect URIs using localhost (i.e., "http://localhost:{port}/{path}")
			
 
				 				// function similarly to loopback IP redirects described in Section 10.3.3,
			
 
				 				// the use of "localhost" is NOT RECOMMENDED.
			
@@ -110,13 +110,13 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationValidator impleme
 
				 						OAuth2ErrorCodes.INVALID_REQUEST,
			
 
				 						"localhost is not allowed for the redirect_uri (" + requestedRedirectUri + "). " +
			
 
				 								"Use the IP literal (127.0.0.1) instead.",
			
 
				-						"https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-01#section-9.7.1");
			
 
				+						"https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-9.7.1");
			
 
				 				throwError(error, OAuth2ParameterNames.REDIRECT_URI,
			
 
				 						authorizationCodeRequestAuthentication, registeredClient);
			
 
				 			}
			
 
				 
			
 
				 			if (!isLoopbackAddress(requestedRedirectHost)) {
			
 
				-				// As per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-01#section-9.7
			
 
				+				// As per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-9.7
			
 
				 				// When comparing client redirect URIs against pre-registered URIs,
			
 
				 				// authorization servers MUST utilize exact string matching.
			
 
				 				if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
			
@@ -124,7 +124,7 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationValidator impleme
 
				 							authorizationCodeRequestAuthentication, registeredClient);
			
 
				 				}
			
 
				 			} else {
			
 
				-				// As per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-01#section-10.3.3
			
 
				+				// As per https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-10.3.3
			
 
				 				// The authorization server MUST allow any port to be specified at the
			
 
				 				// time of the request for loopback IP redirect URIs, to accommodate
			
 
				 				// clients that obtain an available ephemeral port from the operating