Enable `upgradeEncoding` for OAuth2 client secrets

[shanman190]

Presently, there isn't a built in mechanism to upgrade the encoding on an OAuth2 Client outside of simply outright changing the credential. I think it would be a tremendous addition to allow the PasswordEncoder.upgradleEncoding(String) method to be called upon successfully authenticating the OAuth2 client. This would then enable usage of a DelegatingPasswordEncoder to be able to transition the encoding of secrets from one encoder to another.

Initially looking, this seems like it would happen here:

spring-authorization-server/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/ClientSecretAuthenticationProvider.java

Line 116 in eae6630

if (!this.passwordEncoder.matches(clientSecret, registeredClient.getClientSecret())) {

Maybe something like:

if (!this.passwordEncoder.matches(clientSecret, registeredClient.getClientSecret())) {
	throwInvalidClient(OAuth2ParameterNames.CLIENT_SECRET);
} else {
	RegisteredClient updated = RegisteredClient.from(registeredClient)
			.secret(this.passwordEncoder.upgradeEncoding(clientSecret))
			.build();
	this.registeredClientRepository.save(updated);
}

[jgrandja]

Thanks for the request @shanman190. We might consider adding this enhancement in the future but right now we have other priority items we're targeting for 1.1 release.

[shanman190]

@jgrandja, I don't have any issues submitting a PR, if that would help make it easier for you all? Do you think such a PR would make it to the 1.1 release, if it was completed in time?

[jgrandja]

@shanman190 If you can submit a PR that would help for sure. Please ensure there is test coverage in ClientSecretAuthenticationProviderTests and OAuth2ClientCredentialsGrantTests. Thanks.

[Waylon-Firework]

#1337