Mark password grant for removal

This commit also updates link to the document "Best Current Practice for
OAuth 2.0 Security" to point to RFC 9700.

Closes gh-16913

Author: sjohnr

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/OAuth2AuthorizedClientProviderBuilder.java

@@ -138,13 +138,12 @@ public OAuth2AuthorizedClientProviderBuilder clientCredentials(
 	/**
 	 * Configures support for the {@code password} grant.
 	 * @return the {@link OAuth2AuthorizedClientProviderBuilder}
-	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
-	 * of the Resource Owner Password Credentials grant. See reference
-	 * <a target="_blank" href=
-	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
-	 * 2.0 Security Best Current Practice.</a>
+	 * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+	 * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+	 * Current Practice.</a>
 	 */
-	@Deprecated
+	@Deprecated(since = "5.8", forRemoval = true)
 	public OAuth2AuthorizedClientProviderBuilder password() {
 		this.builders.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());
 		return OAuth2AuthorizedClientProviderBuilder.this;
@@ -155,13 +154,12 @@ public OAuth2AuthorizedClientProviderBuilder password() {
 	 * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
 	 * further configuration
 	 * @return the {@link OAuth2AuthorizedClientProviderBuilder}
-	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
-	 * of the Resource Owner Password Credentials grant. See reference
-	 * <a target="_blank" href=
-	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
-	 * 2.0 Security Best Current Practice.</a>
+	 * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+	 * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+	 * Current Practice.</a>
 	 */
-	@Deprecated
+	@Deprecated(since = "5.8", forRemoval = true)
 	public OAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
 		PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders
 			.computeIfAbsent(PasswordOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordOAuth2AuthorizedClientProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -40,12 +40,12 @@
  * @since 5.2
  * @see OAuth2AuthorizedClientProvider
  * @see DefaultPasswordTokenResponseClient
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
- * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
- * 2.0 Security Best Current Practice.</a>
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+ * Current Practice.</a>
  */
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
 public final class PasswordOAuth2AuthorizedClientProvider implements OAuth2AuthorizedClientProvider {
 
 	private OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new DefaultPasswordTokenResponseClient();

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/PasswordReactiveOAuth2AuthorizedClientProvider.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -40,12 +40,12 @@
  * @since 5.2
  * @see ReactiveOAuth2AuthorizedClientProvider
  * @see WebClientReactivePasswordTokenResponseClient
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
- * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
- * 2.0 Security Best Current Practice.</a>
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+ * Current Practice.</a>
  */
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
 public final class PasswordReactiveOAuth2AuthorizedClientProvider implements ReactiveOAuth2AuthorizedClientProvider {
 
 	private ReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> accessTokenResponseClient = new WebClientReactivePasswordTokenResponseClient();

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/ReactiveOAuth2AuthorizedClientProviderBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -139,13 +139,12 @@ public ReactiveOAuth2AuthorizedClientProviderBuilder clientCredentials(
 	/**
 	 * Configures support for the {@code password} grant.
 	 * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
-	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
-	 * of the Resource Owner Password Credentials grant. See reference
-	 * <a target="_blank" href=
-	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
-	 * 2.0 Security Best Current Practice.</a>
+	 * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+	 * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+	 * Current Practice.</a>
 	 */
-	@Deprecated
+	@Deprecated(since = "5.8", forRemoval = true)
 	public ReactiveOAuth2AuthorizedClientProviderBuilder password() {
 		this.builders.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class,
 				(k) -> new PasswordGrantBuilder());
@@ -157,13 +156,12 @@ public ReactiveOAuth2AuthorizedClientProviderBuilder password() {
 	 * @param builderConsumer a {@code Consumer} of {@link PasswordGrantBuilder} used for
 	 * further configuration
 	 * @return the {@link ReactiveOAuth2AuthorizedClientProviderBuilder}
-	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
-	 * of the Resource Owner Password Credentials grant. See reference
-	 * <a target="_blank" href=
-	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
-	 * 2.0 Security Best Current Practice.</a>
+	 * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+	 * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+	 * Current Practice.</a>
 	 */
-	@Deprecated
+	@Deprecated(since = "5.8", forRemoval = true)
 	public ReactiveOAuth2AuthorizedClientProviderBuilder password(Consumer<PasswordGrantBuilder> builderConsumer) {
 		PasswordGrantBuilder builder = (PasswordGrantBuilder) this.builders
 			.computeIfAbsent(PasswordReactiveOAuth2AuthorizedClientProvider.class, (k) -> new PasswordGrantBuilder());

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/DefaultPasswordTokenResponseClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -52,12 +52,12 @@
  * @see <a target="_blank" href=
  * "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
  * (Resource Owner Password Credentials Grant)</a>
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
- * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
- * 2.0 Security Best Current Practice.</a>
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+ * Current Practice.</a>
  */
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
 public final class DefaultPasswordTokenResponseClient
 		implements OAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -35,12 +35,12 @@
  * @see <a target="_blank" href=
  * "https://tools.ietf.org/html/rfc6749#section-1.3.3">Section 1.3.3 Resource Owner
  * Password Credentials</a>
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
- * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
- * 2.0 Security Best Current Practice.</a>
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+ * Current Practice.</a>
  */
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
 public class OAuth2PasswordGrantRequest extends AbstractOAuth2AuthorizationGrantRequest {
 
 	private final String username;

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/OAuth2PasswordGrantRequestEntityConverter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -38,7 +38,7 @@
  * @see RequestEntity
  * @deprecated Use {@link DefaultOAuth2TokenRequestParametersConverter} instead
  */
-@Deprecated(since = "6.4")
+@Deprecated(since = "6.4", forRemoval = true)
 public class OAuth2PasswordGrantRequestEntityConverter
 		extends AbstractOAuth2AuthorizationGrantRequestEntityConverter<OAuth2PasswordGrantRequest> {
 

oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/endpoint/WebClientReactivePasswordTokenResponseClient.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2024 the original author or authors.
+ * Copyright 2002-2025 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,12 +37,12 @@
  * @see <a target="_blank" href=
  * "https://tools.ietf.org/html/rfc6749#section-4.3.3">Section 4.3.3 Access Token Response
  * (Resource Owner Password Credentials Grant)</a>
- * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use of
- * the Resource Owner Password Credentials grant. See reference <a target="_blank" href=
- * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
- * 2.0 Security Best Current Practice.</a>
+ * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+ * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+ * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+ * Current Practice.</a>
  */
-@Deprecated
+@Deprecated(since = "5.8", forRemoval = true)
 public final class WebClientReactivePasswordTokenResponseClient
 		extends AbstractWebClientReactiveOAuth2AccessTokenResponseClient<OAuth2PasswordGrantRequest> {
 

oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/AuthorizationGrantType.java

@@ -48,13 +48,12 @@ public final class AuthorizationGrantType implements Serializable {
 	public static final AuthorizationGrantType CLIENT_CREDENTIALS = new AuthorizationGrantType("client_credentials");
 
 	/**
-	 * @deprecated The latest OAuth 2.0 Security Best Current Practice disallows the use
-	 * of the Resource Owner Password Credentials grant. See reference
-	 * <a target="_blank" href=
-	 * "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics-19#section-2.4">OAuth
-	 * 2.0 Security Best Current Practice.</a>
+	 * @deprecated The OAuth 2.0 Security Best Current Practice disallows the use of the
+	 * Resource Owner Password Credentials grant. See reference <a target="_blank" href=
+	 * "https://datatracker.ietf.org/doc/html/rfc9700#section-2.4">OAuth 2.0 Security Best
+	 * Current Practice.</a>
 	 */
-	@Deprecated
+	@Deprecated(since = "5.8", forRemoval = true)
 	public static final AuthorizationGrantType PASSWORD = new AuthorizationGrantType("password");
 
 	/**