Spring Security OAuth 2.0.4.RELEASE is available now in the usual repositories. It's a bug fix release, so upgrading is recommended, but there is also a small set of new features:
OAuth2Authentication) can now be queried explicitly to find the grant type for the associated token. If the token is being refreshed the grant type in the
OAuth2Requestpresented to a
TokenEnhanceris the original grant type, not "refresh_token".
The client authorities are exposed in the "/check_token" endpoint
Password grants are more flexible and open to extension because both client and server can add additional parameters to the request. A custom
AuthenticationManageron the server side should still expect a
UsernamePasswordAuthenticationToken, but the additional parameters will be available in the
AuthenticationDetails. Multi-factor authentication for mobile devices could be implemented in this way, for instance.
Keystore support for JWT token signing and verification. User provides a Resource and a password and can then lift the keys out of the store by name. As long as they are RSA keys they can be injected into a
JwtAccessTokenConverter(using a new setter).