spring-security/docs/modules/ROOT/pages/migration/servlet/oauth2.adoc

= OAuth 2.0 Migrations

== Validate `typ` Header with `JwtTypeValidator`

If when following the 6.5 preparatory steps you set `validateTypes` to `false`, you can now remove it.
You can also remove explicitly adding `JwtTypeValidator` to the list of defaults.

For example, change this:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
JwtDecoder jwtDecoder() {
	NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        .validateTypes(false) <1>
        // ... your remaining configuration
        .build();
	jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
		new JwtIssuerValidator(location), JwtTypeValidator.jwt())); <2>
	return jwtDecoder;
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun jwtDecoder(): JwtDecoder {
    val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        .validateTypes(false) <1>
        // ... your remaining configuration
        .build()
    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithValidators(
        JwtIssuerValidator(location), JwtTypeValidator.jwt())) <2>
    return jwtDecoder
}
----
======
<1> - Switch off Nimbus verifying the `typ`
<2> - Add the default `typ` validator

to this:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
JwtDecoder jwtDecoder() {
	NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        // ... your remaining configuration <1>
        .build();
	jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(location)); <2>
	return jwtDecoder;
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun jwtDecoder(): JwtDecoder {
    val jwtDecoder = NimbusJwtDecoder.withIssuerLocation(location)
        // ... your remaining configuration
        .build()
    jwtDecoder.setJwtValidator(JwtValidators.createDefaultWithIssuer(location)) <2>
    return jwtDecoder
}
----
======
<1> - `validateTypes` now defaults to `false`
<2> - `JwtTypeValidator#jwt` is added by all `createDefaultXXX` methods

== Do Not Process `<saml2:Response>` GET Requests with `Saml2AuthenticationTokenConverter`

Spring Security does not support processing `<saml2:Response>` payloads over GET as this is not supported by the SAML 2.0 spec.

To better comply with this, `Saml2AuthenticationTokenConverter` and `OpenSaml5AuthenticationTokenConverter` will not process GET requests by default as of Spring Security 8.
To prepare for this, the property `shouldConvertGetRequests` is available.
To use it, publish your own converter like so:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
@Bean
OpenSaml5AuthenticationTokenConverter authenticationConverter(RelyingPartyRegistrationRepository registrations) {
	OpenSaml5AuthenticationTokenConverter authenticationConverter = new OpenSaml5AuthenticationTokenConverter(registrations);
	authenticationConverter.setShouldConvertGetRequests(false);
	return authenticationConverter;
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
fun authenticationConverter(val registrations: RelyingPartyRegistrationRepository): Saml2AuthenticationTokenConverter {
	val authenticationConverter = Saml2AuthenticationTokenConverter(registrations)
	authenticationConverter.setShouldConvertGetRequests(false)
	return authenticationConverter
}
----
======

If you must continue using `Saml2AuthenticationTokenConverter` or `OpenSaml5AuthenticationTokenConverter` to process GET requests, you can call `setShouldConvertGetRequests` to `true.`

== Provide an AuthenticationConverter to BearerTokenAuthenticationFilter

In Spring Security 7, `BearerTokenAuthenticationFilter#setBearerTokenResolver` and `#setAuthenticaionDetailsSource` are deprecated in favor of configuring those on `BearerTokenAuthenticationConverter`.

The `oauth2ResourceServer` DSL addresses most use cases and you need to nothing.

If you are setting a `BearerTokenResolver` or `AuthenticationDetailsSource` directly on `BearerTokenAuthenticationFilter` similar to the following:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(authenticationManager);
filter.setBearerTokenResolver(myBearerTokenResolver);
filter.setAuthenticationDetailsSource(myAuthenticationDetailsSource);
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
val filter = BearerTokenAuthenticationFilter(authenticationManager)
filter.setBearerTokenResolver(myBearerTokenResolver)
filter.setAuthenticationDetailsSource(myAuthenticationDetailsSource)
----
======

you are encouraged to use `BearerTokenAuthenticationConverter` to specify both:

[tabs]
======
Java::
+
[source,java,role="primary"]
----
BearerTokenAuthenticationConverter authenticationConverter =
    new BearerTokenAuthenticationConverter();
authenticationConverter.setBearerTokenResolver(myBearerTokenResolver);
authenticationConverter.setAuthenticationDetailsSource(myAuthenticationDetailsSource);
BearerTokenAuthenticationFilter filter = new BearerTokenAuthenticationFilter(authenticationManager, authenicationConverter);
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
val authenticationConverter = BearerTokenAuthenticationConverter()
authenticationConverter.setBearerTokenResolver(myBearerTokenResolver)
authenticationConverter.setAuthenticationDetailsSource(myAuthenticationDetailsSource)
val filter = BearerTokenAuthenticationFilter(authenticationManager, authenticationConverter)
----
======