Spring Security 5.1.x doesn't support it, see Spring Security Reference:
6.6 OAuth 2.0 Client
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
The following main features are available:
- Authorization Code Grant
- Client Credentials Grant
WebClient
extension for Servlet Environments (for making protected resource requests)
HttpSecurity.oauth2Client()
provides a number of configuration options for customizing OAuth 2.0 Client.
However, you could use Spring Security OAuth2, see OAuth 2 Developers Guide:
Accessing Protected Resources
As a general rule, a web application should not use password grants, so avoid using ResourceOwnerPasswordResourceDetails
if you can in favour of AuthorizationCodeResourceDetails
. If you desparately need password grants to work from a Java client, then use the same mechanism to configure your OAuth2RestTemplate
and add the credentials to the AccessTokenRequest (which is a Map and is ephemeral) not the ResourceOwnerPasswordResourceDetails
(which is shared between all access tokens).
Or you could update to Spring Security 5.2.x, see Spring Security Reference:
11.2 OAuth 2.0 Client
The OAuth 2.0 Client features provide support for the Client role as defined in the OAuth 2.0 Authorization Framework.
At a high-level, the core features available are:
Authorization Grant support
- Authorization Code
- Refresh Token
- Client Credentials
- Resource Owner Password Credentials