Deprecate Resource Owner Password Credentials grant

Closes gh-11590

Author: jgrandja

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java

@@ -137,7 +137,13 @@ public OAuth2AuthorizedClientProviderBuilder clientCredentials(
 	/**
 	 * Configures support for the {@code password} grant.
 	 * @return the {@link OAuth2AuthorizedClientProviderBuilder}
+	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
+	 * of the Resource Owner Password Credentials grant. See reference
+	 * <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
+	 * 2.0 Security Best Current Practice.</a>
 	 */
+	@Deprecated
 	public OAuth2AuthorizedClientProviderBuilder password() {
 		this.builders.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());
 		return OAuth2AuthorizedClientProviderBuilder.this;
@@ -148,7 +154,13 @@ public OAuth2AuthorizedClientProviderBuilder password() {
 	 * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
 	 * further configuration
 	 * @return the {@link OAuth2AuthorizedClientProviderBuilder}
+	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
+	 * of the Resource Owner Password Credentials grant. See reference
+	 * <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
+	 * 2.0 Security Best Current Practice.</a>
 	 */
+	@Deprecated
 	public OAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
 		PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders
 				.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -40,7 +40,12 @@
  * @since 5.2
  * @see OAuth2AuthorizedClientProvider
  * @see DefaultPasswordTokenResponseClient
+ * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
+ * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
+ * 2.0 Security Best Current Practice.</a>
  */
+@Deprecated
 public final class PasswordOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {
 
 	private OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new DefaultPasswordTokenResponseClient();

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -40,7 +40,12 @@
  * @since 5.2
  * @see ReactiveOAuth2AuthorizedClientProvider
  * @see WebClientReactivePasswordTokenResponseClient
+ * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
+ * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
+ * 2.0 Security Best Current Practice.</a>
  */
+@Deprecated
 public final class PasswordReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider {
 
 	private ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new WebClientReactivePasswordTokenResponseClient();

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java

@@ -139,7 +139,13 @@ public ReactiveOAuth2AuthorizedClientProviderBuilder clientCredentials(
 	/**
 	 * Configures support for the {@code password} grant.
 	 * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
+	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
+	 * of the Resource Owner Password Credentials grant. See reference
+	 * <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
+	 * 2.0 Security Best Current Practice.</a>
 	 */
+	@Deprecated
 	public ReactiveOAuth2AuthorizedClientProviderBuilder password() {
 		this.builders.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class,
 				(k) -> new PasswordGrantBuilder());
@@ -151,7 +157,13 @@ public ReactiveOAuth2AuthorizedClientProviderBuilder password() {
 	 * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
 	 * further configuration
 	 * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
+	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
+	 * of the Resource Owner Password Credentials grant. See reference
+	 * <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
+	 * 2.0 Security Best Current Practice.</a>
 	 */
+	@Deprecated
 	public ReactiveOAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
 		PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders.computeIfAbsent(
 				PasswordReactiveOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -53,7 +53,12 @@
  * @see <a target="_blank" href=
  * "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
  * (Resource Owner Password Credentials Grant)</a>
+ * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
+ * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
+ * 2.0 Security Best Current Practice.</a>
  */
+@Deprecated
 public final class DefaultPasswordTokenResponseClient
 		implements OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -30,7 +30,12 @@
  * @see <a target="_blank" href=
  * "https://tools.ietf.org/html/rfc6749#section-1.3.3">Section 1.3.3 Resource Owner
  * Password Credentials</a>
+ * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
+ * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
+ * 2.0 Security Best Current Practice.</a>
  */
+@Deprecated
 public class OAuth2PasswordGrantRequest extends AbstractOAuth2AuthorizationGrantRequest {
 
 	private final String username;

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2020 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -42,7 +42,12 @@
  * @see <a target="_blank" href=
  * "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
  * (Resource Owner Password Credentials Grant)</a>
+ * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
+ * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
+ * 2.0 Security Best Current Practice.</a>
  */
+@Deprecated
 public final class WebClientReactivePasswordTokenResponseClient
 		extends AbstractWebClientReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {
 

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java

@@ -57,6 +57,14 @@ public final class AuthorizationGrantType implements Serializable {
 
 	public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials");
 
+	/**
+	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
+	 * of the Resource Owner Password Credentials grant. See reference
+	 * <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
+	 * 2.0 Security Best Current Practice.</a>
+	 */
+	@Deprecated
 	public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password");
 
 	/**