4 жил өмнө · ea1f95b4ed
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/InMemoryOAuth2AuthorizationService.java
@@ -97,10 +97,12 @@ public final class InMemoryOAuth2AuthorizationService implements OAuth2Authoriza
 
				 	@Override
			
 
				 	public OAuth2Authorization findByToken(String token, @Nullable OAuth2TokenType tokenType) {
			
 
				 		Assert.hasText(token, "token cannot be empty");
			
 
				-		return this.authorizations.values().stream()
			
 
				-				.filter(authorization -> hasToken(authorization, token, tokenType))
			
 
				-				.findFirst()
			
 
				-				.orElse(null);
			
 
				+		for (OAuth2Authorization authorization : this.authorizations.values()) {
			
 
				+			if (hasToken(authorization, token, tokenType)) {
			
 
				+				return authorization;
			
 
				+			}
			
 
				+		}
			
 
				+		return null;
			
 
				 	}
			
 
				 
			
 
				 	private static boolean hasToken(OAuth2Authorization authorization, String token, @Nullable OAuth2TokenType tokenType) {
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2Authorization.java
@@ -150,11 +150,12 @@ public class OAuth2Authorization implements Serializable {
 
				 	@SuppressWarnings("unchecked")
			
 
				 	public <T extends OAuth2Token> Token<T> getToken(String tokenValue) {
			
 
				 		Assert.hasText(tokenValue, "tokenValue cannot be empty");
			
 
				-		Token<?> token = this.tokens.values().stream()
			
 
				-				.filter(t -> t.getToken().getTokenValue().equals(tokenValue))
			
 
				-				.findFirst()
			
 
				-				.orElse(null);
			
 
				-		return token != null ? (Token<T>) token : null;
			
 
				+		for (Token<?> token : this.tokens.values()) {
			
 
				+			if (token.getToken().getTokenValue().equals(tokenValue)) {
			
 
				+				return (Token<T>) token;
			
 
				+			}
			
 
				+		}
			
 
				+		return null;
			
 
				 	}
			
 
				 
			
 
				 	/**
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationConsent.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/OAuth2AuthorizationConsent.java
@@ -21,7 +21,6 @@ import java.util.HashSet;
 
				 import java.util.Objects;
			
 
				 import java.util.Set;
			
 
				 import java.util.function.Consumer;
			
 
				-import java.util.stream.Collectors;
			
 
				 
			
 
				 import org.springframework.lang.NonNull;
			
 
				 import org.springframework.security.core.GrantedAuthority;
			
@@ -91,11 +90,13 @@ public final class OAuth2AuthorizationConsent implements Serializable {
 
				 	 * @return the {@code scope}s granted to the client by the principal.
			
 
				 	 */
			
 
				 	public Set<String> getScopes() {
			
 
				-		return getAuthorities().stream()
			
 
				-				.map(GrantedAuthority::getAuthority)
			
 
				-				.filter(authority -> authority.startsWith(AUTHORITIES_SCOPE_PREFIX))
			
 
				-				.map(scope -> scope.replaceFirst(AUTHORITIES_SCOPE_PREFIX, ""))
			
 
				-				.collect(Collectors.toSet());
			
 
				+		Set<String> authorities = new HashSet<>();
			
 
				+		for (GrantedAuthority authority : getAuthorities()) {
			
 
				+			if (authority.getAuthority().startsWith(AUTHORITIES_SCOPE_PREFIX)) {
			
 
				+				authorities.add(authority.getAuthority().replaceFirst(AUTHORITIES_SCOPE_PREFIX, ""));
			
 
				+			}
			
 
				+		}
			
 
				+		return authorities;
			
 
				 	}
			
 
				 
			
 
				 	@Override
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeRequestAuthenticationProvider.java
@@ -18,7 +18,6 @@ package org.springframework.security.oauth2.server.authorization.authentication;
 
				 import java.security.Principal;
			
 
				 import java.time.Instant;
			
 
				 import java.time.temporal.ChronoUnit;
			
 
				-import java.util.Arrays;
			
 
				 import java.util.Base64;
			
 
				 import java.util.Collections;
			
 
				 import java.util.HashMap;
			
@@ -448,7 +447,10 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationProvider implemen
 
				 			return false;
			
 
				 		}
			
 
				 		try {
			
 
				-			int[] address = Arrays.stream(ipv4Octets).mapToInt(Integer::parseInt).toArray();
			
 
				+			int[] address = new int[ipv4Octets.length];
			
 
				+			for (int i=0; i < ipv4Octets.length; i++) {
			
 
				+				address[i] = Integer.parseInt(ipv4Octets[i]);
			
 
				+			}
			
 
				 			return address[0] == 127 && address[1] >= 0 && address[1] <= 255 && address[2] >= 0 &&
			
 
				 					address[2] <= 255 && address[3] >= 1 && address[3] <= 255;
			
 
				 		} catch (NumberFormatException ex) {
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2ClientCredentialsAuthenticationProvider.java
@@ -18,7 +18,6 @@ package org.springframework.security.oauth2.server.authorization.authentication;
 
				 import java.util.LinkedHashSet;
			
 
				 import java.util.Set;
			
 
				 import java.util.function.Consumer;
			
 
				-import java.util.stream.Collectors;
			
 
				 
			
 
				 import org.springframework.beans.factory.annotation.Autowired;
			
 
				 import org.springframework.security.authentication.AuthenticationProvider;
			
@@ -34,12 +33,12 @@ import org.springframework.security.oauth2.jwt.JoseHeader;
 
				 import org.springframework.security.oauth2.jwt.Jwt;
			
 
				 import org.springframework.security.oauth2.jwt.JwtClaimsSet;
			
 
				 import org.springframework.security.oauth2.jwt.JwtEncoder;
			
 
				+import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
			
 
				 import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
			
 
				 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
			
 
				+import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
			
 
				 import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
			
 
				 import org.springframework.security.oauth2.server.authorization.config.ProviderSettings;
			
 
				-import org.springframework.security.oauth2.server.authorization.JwtEncodingContext;
			
 
				-import org.springframework.security.oauth2.server.authorization.OAuth2TokenCustomizer;
			
 
				 import org.springframework.util.Assert;
			
 
				 import org.springframework.util.CollectionUtils;
			
 
				 
			
@@ -112,11 +111,10 @@ public final class OAuth2ClientCredentialsAuthenticationProvider implements Auth
 
				 
			
 
				 		Set<String> authorizedScopes = registeredClient.getScopes();		// Default to configured scopes
			
 
				 		if (!CollectionUtils.isEmpty(clientCredentialsAuthentication.getScopes())) {
			
 
				-			Set<String> unauthorizedScopes = clientCredentialsAuthentication.getScopes().stream()
			
 
				-					.filter(requestedScope -> !registeredClient.getScopes().contains(requestedScope))
			
 
				-					.collect(Collectors.toSet());
			
 
				-			if (!CollectionUtils.isEmpty(unauthorizedScopes)) {
			
 
				-				throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE));
			
 
				+			for (String requestedScope : clientCredentialsAuthentication.getScopes()) {
			
 
				+				if (!registeredClient.getScopes().contains(requestedScope)) {
			
 
				+					throw new OAuth2AuthenticationException(new OAuth2Error(OAuth2ErrorCodes.INVALID_SCOPE));
			
 
				+				}
			
 
				 			}
			
 
				 			authorizedScopes = new LinkedHashSet<>(clientCredentialsAuthentication.getScopes());
			
 
				 		}
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilter.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2TokenIntrospectionEndpointFilter.java
@@ -16,8 +16,8 @@
 
				 package org.springframework.security.oauth2.server.authorization.web;
			
 
				 
			
 
				 import java.io.IOException;
			
 
				+import java.util.HashMap;
			
 
				 import java.util.Map;
			
 
				-import java.util.stream.Collectors;
			
 
				 
			
 
				 import javax.servlet.FilterChain;
			
 
				 import javax.servlet.ServletException;
			
@@ -161,14 +161,13 @@ public final class OAuth2TokenIntrospectionEndpointFilter extends OncePerRequest
 
				 				throwError(OAuth2ErrorCodes.INVALID_REQUEST, OAuth2ParameterNames.TOKEN_TYPE_HINT);
			
 
				 			}
			
 
				 
			
 
				-			// @formatter:off
			
 
				-			Map<String, Object> additionalParameters = parameters
			
 
				-					.entrySet()
			
 
				-					.stream()
			
 
				-					.filter(e -> !e.getKey().equals(OAuth2ParameterNames.TOKEN) &&
			
 
				-							!e.getKey().equals(OAuth2ParameterNames.TOKEN_TYPE_HINT))
			
 
				-					.collect(Collectors.toMap(Map.Entry::getKey, e -> e.getValue().get(0)));
			
 
				-			// @formatter:on
			
 
				+			Map<String, Object> additionalParameters = new HashMap<>();
			
 
				+			parameters.forEach((key, value) -> {
			
 
				+				if (!key.equals(OAuth2ParameterNames.TOKEN) &&
			
 
				+						!key.equals(OAuth2ParameterNames.TOKEN_TYPE_HINT)) {
			
 
				+					additionalParameters.put(key, value.get(0));
			
 
				+				}
			
 
				+			});
			
 
				 
			
 
				 			return new OAuth2TokenIntrospectionAuthenticationToken(
			
 
				 					token, clientPrincipal, tokenTypeHint, additionalParameters);
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/DelegatingAuthenticationConverter.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/DelegatingAuthenticationConverter.java
@@ -18,7 +18,6 @@ package org.springframework.security.oauth2.server.authorization.web.authenticat
 
				 import java.util.Collections;
			
 
				 import java.util.LinkedList;
			
 
				 import java.util.List;
			
 
				-import java.util.Objects;
			
 
				 
			
 
				 import javax.servlet.http.HttpServletRequest;
			
 
				 
			
@@ -56,12 +55,12 @@ public final class DelegatingAuthenticationConverter implements AuthenticationCo
 
				 	@Override
			
 
				 	public Authentication convert(HttpServletRequest request) {
			
 
				 		Assert.notNull(request, "request cannot be null");
			
 
				-		// @formatter:off
			
 
				-		return this.converters.stream()
			
 
				-				.map(converter -> converter.convert(request))
			
 
				-				.filter(Objects::nonNull)
			
 
				-				.findFirst()
			
 
				-				.orElse(null);
			
 
				-		// @formatter:on
			
 
				+		for (AuthenticationConverter converter : this.converters) {
			
 
				+			Authentication authentication = converter.convert(request);
			
 
				+			if (authentication != null) {
			
 
				+				return authentication;
			
 
				+			}
			
 
				+		}
			
 
				+		return null;
			
 
				 	}
			
 
				 }
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeAuthenticationConverter.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeAuthenticationConverter.java
@@ -15,8 +15,8 @@
 
				  */
			
 
				 package org.springframework.security.oauth2.server.authorization.web.authentication;
			
 
				 
			
 
				+import java.util.HashMap;
			
 
				 import java.util.Map;
			
 
				-import java.util.stream.Collectors;
			
 
				 
			
 
				 import javax.servlet.http.HttpServletRequest;
			
 
				 
			
@@ -78,16 +78,15 @@ public final class OAuth2AuthorizationCodeAuthenticationConverter implements Aut
 
				 					OAuth2EndpointUtils.ACCESS_TOKEN_REQUEST_ERROR_URI);
			
 
				 		}
			
 
				 
			
 
				-		// @formatter:off
			
 
				-		Map<String, Object> additionalParameters = parameters
			
 
				-				.entrySet()
			
 
				-				.stream()
			
 
				-				.filter(e -> !e.getKey().equals(OAuth2ParameterNames.GRANT_TYPE) &&
			
 
				-						!e.getKey().equals(OAuth2ParameterNames.CLIENT_ID) &&
			
 
				-						!e.getKey().equals(OAuth2ParameterNames.CODE) &&
			
 
				-						!e.getKey().equals(OAuth2ParameterNames.REDIRECT_URI))
			
 
				-				.collect(Collectors.toMap(Map.Entry::getKey, e -> e.getValue().get(0)));
			
 
				-        // @formatter:on
			
 
				+		Map<String, Object> additionalParameters = new HashMap<>();
			
 
				+		parameters.forEach((key, value) -> {
			
 
				+			if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) &&
			
 
				+					!key.equals(OAuth2ParameterNames.CLIENT_ID) &&
			
 
				+					!key.equals(OAuth2ParameterNames.CODE) &&
			
 
				+					!key.equals(OAuth2ParameterNames.REDIRECT_URI)) {
			
 
				+				additionalParameters.put(key, value.get(0));
			
 
				+			}
			
 
				+		});
			
 
				 
			
 
				 		return new OAuth2AuthorizationCodeAuthenticationToken(
			
 
				 				code, clientPrincipal, redirectUri, additionalParameters);
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2AuthorizationCodeRequestAuthenticationConverter.java
@@ -16,10 +16,10 @@
 
				 package org.springframework.security.oauth2.server.authorization.web.authentication;
			
 
				 
			
 
				 import java.util.Arrays;
			
 
				+import java.util.HashMap;
			
 
				 import java.util.HashSet;
			
 
				 import java.util.Map;
			
 
				 import java.util.Set;
			
 
				-import java.util.stream.Collectors;
			
 
				 
			
 
				 import javax.servlet.http.HttpServletRequest;
			
 
				 
			
@@ -139,17 +139,16 @@ public final class OAuth2AuthorizationCodeRequestAuthenticationConverter impleme
 
				 			throwError(OAuth2ErrorCodes.INVALID_REQUEST, PkceParameterNames.CODE_CHALLENGE_METHOD, PKCE_ERROR_URI);
			
 
				 		}
			
 
				 
			
 
				-		// @formatter:off
			
 
				-		Map<String, Object> additionalParameters = parameters
			
 
				-				.entrySet()
			
 
				-				.stream()
			
 
				-				.filter(e -> !e.getKey().equals(OAuth2ParameterNames.RESPONSE_TYPE) &&
			
 
				-						!e.getKey().equals(OAuth2ParameterNames.CLIENT_ID) &&
			
 
				-						!e.getKey().equals(OAuth2ParameterNames.REDIRECT_URI) &&
			
 
				-						!e.getKey().equals(OAuth2ParameterNames.SCOPE) &&
			
 
				-						!e.getKey().equals(OAuth2ParameterNames.STATE))
			
 
				-				.collect(Collectors.toMap(Map.Entry::getKey, e -> e.getValue().get(0)));
			
 
				-        // @formatter:on
			
 
				+		Map<String, Object> additionalParameters = new HashMap<>();
			
 
				+		parameters.forEach((key, value) -> {
			
 
				+			if (!key.equals(OAuth2ParameterNames.RESPONSE_TYPE) &&
			
 
				+					!key.equals(OAuth2ParameterNames.CLIENT_ID) &&
			
 
				+					!key.equals(OAuth2ParameterNames.REDIRECT_URI) &&
			
 
				+					!key.equals(OAuth2ParameterNames.SCOPE) &&
			
 
				+					!key.equals(OAuth2ParameterNames.STATE)) {
			
 
				+				additionalParameters.put(key, value.get(0));
			
 
				+			}
			
 
				+		});
			
 
				 
			
 
				 		return OAuth2AuthorizationCodeRequestAuthenticationToken.with(clientId, principal)
			
 
				 				.authorizationUri(authorizationUri)
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2ClientCredentialsAuthenticationConverter.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2ClientCredentialsAuthenticationConverter.java
@@ -16,10 +16,10 @@
 
				 package org.springframework.security.oauth2.server.authorization.web.authentication;
			
 
				 
			
 
				 import java.util.Arrays;
			
 
				+import java.util.HashMap;
			
 
				 import java.util.HashSet;
			
 
				 import java.util.Map;
			
 
				 import java.util.Set;
			
 
				-import java.util.stream.Collectors;
			
 
				 
			
 
				 import javax.servlet.http.HttpServletRequest;
			
 
				 
			
@@ -75,14 +75,13 @@ public final class OAuth2ClientCredentialsAuthenticationConverter implements Aut
 
				 					Arrays.asList(StringUtils.delimitedListToStringArray(scope, " ")));
			
 
				 		}
			
 
				 
			
 
				-		// @formatter:off
			
 
				-		Map<String, Object> additionalParameters = parameters
			
 
				-				.entrySet()
			
 
				-				.stream()
			
 
				-				.filter(e -> !e.getKey().equals(OAuth2ParameterNames.GRANT_TYPE) &&
			
 
				-						!e.getKey().equals(OAuth2ParameterNames.SCOPE))
			
 
				-				.collect(Collectors.toMap(Map.Entry::getKey, e -> e.getValue().get(0)));
			
 
				-        // @formatter:on
			
 
				+		Map<String, Object> additionalParameters = new HashMap<>();
			
 
				+		parameters.forEach((key, value) -> {
			
 
				+			if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) &&
			
 
				+					!key.equals(OAuth2ParameterNames.SCOPE)) {
			
 
				+				additionalParameters.put(key, value.get(0));
			
 
				+			}
			
 
				+		});
			
 
				 
			
 
				 		return new OAuth2ClientCredentialsAuthenticationToken(
			
 
				 				clientPrincipal, requestedScopes, additionalParameters);
			
--- a/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2RefreshTokenAuthenticationConverter.java
+++ b/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2RefreshTokenAuthenticationConverter.java
@@ -16,10 +16,10 @@
 
				 package org.springframework.security.oauth2.server.authorization.web.authentication;
			
 
				 
			
 
				 import java.util.Arrays;
			
 
				+import java.util.HashMap;
			
 
				 import java.util.HashSet;
			
 
				 import java.util.Map;
			
 
				 import java.util.Set;
			
 
				-import java.util.stream.Collectors;
			
 
				 
			
 
				 import javax.servlet.http.HttpServletRequest;
			
 
				 
			
@@ -85,15 +85,14 @@ public final class OAuth2RefreshTokenAuthenticationConverter implements Authenti
 
				 					Arrays.asList(StringUtils.delimitedListToStringArray(scope, " ")));
			
 
				 		}
			
 
				 
			
 
				-		// @formatter:off
			
 
				-		Map<String, Object> additionalParameters = parameters
			
 
				-				.entrySet()
			
 
				-				.stream()
			
 
				-				.filter(e -> !e.getKey().equals(OAuth2ParameterNames.GRANT_TYPE) &&
			
 
				-						!e.getKey().equals(OAuth2ParameterNames.REFRESH_TOKEN) &&
			
 
				-						!e.getKey().equals(OAuth2ParameterNames.SCOPE))
			
 
				-				.collect(Collectors.toMap(Map.Entry::getKey, e -> e.getValue().get(0)));
			
 
				-        // @formatter:on
			
 
				+		Map<String, Object> additionalParameters = new HashMap<>();
			
 
				+		parameters.forEach((key, value) -> {
			
 
				+			if (!key.equals(OAuth2ParameterNames.GRANT_TYPE) &&
			
 
				+					!key.equals(OAuth2ParameterNames.REFRESH_TOKEN) &&
			
 
				+					!key.equals(OAuth2ParameterNames.SCOPE)) {
			
 
				+				additionalParameters.put(key, value.get(0));
			
 
				+			}
			
 
				+		});
			
 
				 
			
 
				 		return new OAuth2RefreshTokenAuthenticationToken(
			
 
				 				refreshToken, clientPrincipal, requestedScopes, additionalParameters);
			
--- a/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java
+++ b/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2AuthorizationCodeGrantTests.java
@@ -24,9 +24,9 @@ import java.text.MessageFormat;
 
				 import java.time.Instant;
			
 
				 import java.time.temporal.ChronoUnit;
			
 
				 import java.util.Base64;
			
 
				+import java.util.HashSet;
			
 
				 import java.util.List;
			
 
				 import java.util.Set;
			
 
				-import java.util.stream.Collectors;
			
 
				 
			
 
				 import com.nimbusds.jose.jwk.JWKSet;
			
 
				 import com.nimbusds.jose.jwk.source.JWKSource;
			
@@ -273,9 +273,11 @@ public class OAuth2AuthorizationCodeGrantTests {
 
				 		Jwt jwt = this.jwtDecoder.decode(accessTokenResponse.getAccessToken().getTokenValue());
			
 
				 		List<String> authoritiesClaim = jwt.getClaim(AUTHORITIES_CLAIM);
			
 
				 		Authentication principal = authorization.getAttribute(Principal.class.getName());
			
 
				-		Set<String> userAuthorities = principal.getAuthorities().stream()
			
 
				-				.map(GrantedAuthority::getAuthority)
			
 
				-				.collect(Collectors.toSet());
			
 
				+		Set<String> userAuthorities = new HashSet<>();
			
 
				+		for (GrantedAuthority authority : principal.getAuthorities()) {
			
 
				+			userAuthorities.add(authority.getAuthority());
			
 
				+		}
			
 
				+
			
 
				 		assertThat(authoritiesClaim).containsExactlyInAnyOrderElementsOf(userAuthorities);
			
 
				 	}
			
 
				 
			
@@ -612,9 +614,10 @@ public class OAuth2AuthorizationCodeGrantTests {
 
				 				if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(context.getAuthorizationGrantType()) &&
			
 
				 						OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
			
 
				 					Authentication principal = context.getPrincipal();
			
 
				-					Set<String> authorities = principal.getAuthorities().stream()
			
 
				-							.map(GrantedAuthority::getAuthority)
			
 
				-							.collect(Collectors.toSet());
			
 
				+					Set<String> authorities = new HashSet<>();
			
 
				+					for (GrantedAuthority authority : principal.getAuthorities()) {
			
 
				+						authorities.add(authority.getAuthority());
			
 
				+					}
			
 
				 					context.getClaims().claim(AUTHORITIES_CLAIM, authorities);
			
 
				 				}
			
 
				 			};
			
--- a/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java
+++ b/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OAuth2RefreshTokenGrantTests.java
@@ -19,9 +19,9 @@ import java.net.URLEncoder;
 
				 import java.nio.charset.StandardCharsets;
			
 
				 import java.security.Principal;
			
 
				 import java.util.Base64;
			
 
				+import java.util.HashSet;
			
 
				 import java.util.List;
			
 
				 import java.util.Set;
			
 
				-import java.util.stream.Collectors;
			
 
				 
			
 
				 import com.nimbusds.jose.jwk.JWKSet;
			
 
				 import com.nimbusds.jose.jwk.source.JWKSource;
			
@@ -174,9 +174,10 @@ public class OAuth2RefreshTokenGrantTests {
 
				 		Jwt jwt = jwtDecoder.decode(accessTokenResponse.getAccessToken().getTokenValue());
			
 
				 		List<String> authoritiesClaim = jwt.getClaim(AUTHORITIES_CLAIM);
			
 
				 		Authentication principal = authorization.getAttribute(Principal.class.getName());
			
 
				-		Set<String> userAuthorities = principal.getAuthorities().stream()
			
 
				-				.map(GrantedAuthority::getAuthority)
			
 
				-				.collect(Collectors.toSet());
			
 
				+		Set<String> userAuthorities = new HashSet<>();
			
 
				+		for (GrantedAuthority authority : principal.getAuthorities()) {
			
 
				+			userAuthorities.add(authority.getAuthority());
			
 
				+		}
			
 
				 		assertThat(authoritiesClaim).containsExactlyInAnyOrderElementsOf(userAuthorities);
			
 
				 	}
			
 
				 
			
@@ -231,9 +232,10 @@ public class OAuth2RefreshTokenGrantTests {
 
				 			return context -> {
			
 
				 				if (AuthorizationGrantType.REFRESH_TOKEN.equals(context.getAuthorizationGrantType())) {
			
 
				 					Authentication principal = context.getPrincipal();
			
 
				-					Set<String> authorities = principal.getAuthorities().stream()
			
 
				-							.map(GrantedAuthority::getAuthority)
			
 
				-							.collect(Collectors.toSet());
			
 
				+					Set<String> authorities = new HashSet<>();
			
 
				+					for (GrantedAuthority authority : principal.getAuthorities()) {
			
 
				+						authorities.add(authority.getAuthority());
			
 
				+					}
			
 
				 					context.getClaims().claim(AUTHORITIES_CLAIM, authorities);
			
 
				 				}
			
 
				 			};
			
--- a/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java
+++ b/oauth2-authorization-server/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/authorization/OidcTests.java
@@ -21,9 +21,9 @@ import java.net.URLEncoder;
 
				 import java.nio.charset.StandardCharsets;
			
 
				 import java.security.Principal;
			
 
				 import java.util.Base64;
			
 
				+import java.util.HashSet;
			
 
				 import java.util.List;
			
 
				 import java.util.Set;
			
 
				-import java.util.stream.Collectors;
			
 
				 
			
 
				 import com.nimbusds.jose.jwk.JWKSet;
			
 
				 import com.nimbusds.jose.jwk.source.JWKSource;
			
@@ -223,9 +223,10 @@ public class OidcTests {
 
				 		Jwt idToken = this.jwtDecoder.decode((String) accessTokenResponse.getAdditionalParameters().get(OidcParameterNames.ID_TOKEN));
			
 
				 		List<String> authoritiesClaim = idToken.getClaim(AUTHORITIES_CLAIM);
			
 
				 		Authentication principal = authorization.getAttribute(Principal.class.getName());
			
 
				-		Set<String> userAuthorities = principal.getAuthorities().stream()
			
 
				-				.map(GrantedAuthority::getAuthority)
			
 
				-				.collect(Collectors.toSet());
			
 
				+		Set<String> userAuthorities = new HashSet<>();
			
 
				+		for (GrantedAuthority authority : principal.getAuthorities()) {
			
 
				+			userAuthorities.add(authority.getAuthority());
			
 
				+		}
			
 
				 		assertThat(authoritiesClaim).containsExactlyInAnyOrderElementsOf(userAuthorities);
			
 
				 	}
			
 
				 
			
@@ -304,9 +305,10 @@ public class OidcTests {
 
				 			return context -> {
			
 
				 				if (context.getTokenType().getValue().equals(OidcParameterNames.ID_TOKEN)) {
			
 
				 					Authentication principal = context.getPrincipal();
			
 
				-					Set<String> authorities = principal.getAuthorities().stream()
			
 
				-							.map(GrantedAuthority::getAuthority)
			
 
				-							.collect(Collectors.toSet());
			
 
				+					Set<String> authorities = new HashSet<>();
			
 
				+					for (GrantedAuthority authority : principal.getAuthorities()) {
			
 
				+						authorities.add(authority.getAuthority());
			
 
				+					}
			
 
				 					context.getClaims().claim(AUTHORITIES_CLAIM, authorities);
			
 
				 				}
			
 
				 			};
			
--- a/samples/boot/oauth2-integration/authorizationserver-custom-consent-page/src/main/java/sample/web/AuthorizationConsentController.java
+++ b/samples/boot/oauth2-integration/authorizationserver-custom-consent-page/src/main/java/sample/web/AuthorizationConsentController.java
@@ -21,7 +21,6 @@ import java.util.HashMap;
 
				 import java.util.HashSet;
			
 
				 import java.util.Map;
			
 
				 import java.util.Set;
			
 
				-import java.util.stream.Collectors;
			
 
				 
			
 
				 import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
			
 
				 import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
			
@@ -84,10 +83,12 @@ public class AuthorizationConsentController {
 
				 	}
			
 
				 
			
 
				 	private static Set<ScopeWithDescription> withDescription(Set<String> scopes) {
			
 
				-		return scopes
			
 
				-				.stream()
			
 
				-				.map(ScopeWithDescription::new)
			
 
				-				.collect(Collectors.toSet());
			
 
				+		Set<ScopeWithDescription> scopeWithDescriptions = new HashSet<>();
			
 
				+		for (String scope : scopes) {
			
 
				+			scopeWithDescriptions.add(new ScopeWithDescription(scope));
			
 
				+
			
 
				+		}
			
 
				+		return scopeWithDescriptions;
			
 
				 	}
			
 
				 
			
 
				 	public static class ScopeWithDescription {