Support authorization_code grant for OAuth2 client

This commit also refactors OAuth2 client properties. With
the added support for authorization_code clients, client
registrations are now divided into `login` and `authorization_code`.
An environment post processor is used for backward compatibility with
old Open ID Connect login clients.

Closes gh-13812

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/ClientsConfiguredCondition.java

@@ -16,6 +16,7 @@
 package org.springframework.boot.autoconfigure.security.oauth2.client;
 
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.Map;
 import java.util.stream.Collectors;
 
@@ -37,29 +38,44 @@ import org.springframework.core.type.AnnotatedTypeMetadata;
  */
 public class ClientsConfiguredCondition extends SpringBootCondition {
 
-	private static final Bindable<Map<String, OAuth2ClientProperties.Registration>> STRING_REGISTRATION_MAP = Bindable
-			.mapOf(String.class, OAuth2ClientProperties.Registration.class);
+	private static final Bindable<Map<String, OAuth2ClientProperties.LoginClientRegistration>> STRING_LOGIN_REGISTRATION_MAP = Bindable
+			.mapOf(String.class, OAuth2ClientProperties.LoginClientRegistration.class);
+
+	private static final Bindable<Map<String, OAuth2ClientProperties.AuthorizationCodeClientRegistration>> STRING_AUTHORIZATIONCODE_REGISTRATION_MAP = Bindable
+			.mapOf(String.class,
+					OAuth2ClientProperties.AuthorizationCodeClientRegistration.class);
 
 	@Override
 	public ConditionOutcome getMatchOutcome(ConditionContext context,
 			AnnotatedTypeMetadata metadata) {
 		ConditionMessage.Builder message = ConditionMessage
 				.forCondition("OAuth2 Clients Configured Condition");
-		Map<String, OAuth2ClientProperties.Registration> registrations = getRegistrations(
+		Map<String, OAuth2ClientProperties.BaseClientRegistration> registrations = getRegistrations(
 				context.getEnvironment());
 		if (!registrations.isEmpty()) {
-			return ConditionOutcome.match(message
-					.foundExactly("registered clients " + registrations.values().stream()
-							.map(OAuth2ClientProperties.Registration::getClientId)
+			return ConditionOutcome.match(message.foundExactly(
+					"registered clients " + registrations.values().stream().map(
+							OAuth2ClientProperties.BaseClientRegistration::getClientId)
 							.collect(Collectors.joining(", "))));
 		}
 		return ConditionOutcome.noMatch(message.notAvailable("registered clients"));
 	}
 
-	private Map<String, OAuth2ClientProperties.Registration> getRegistrations(
+	private Map<String, OAuth2ClientProperties.BaseClientRegistration> getRegistrations(
 			Environment environment) {
-		return Binder.get(environment).bind("spring.security.oauth2.client.registration",
-				STRING_REGISTRATION_MAP).orElse(Collections.emptyMap());
+		Map<String, OAuth2ClientProperties.BaseClientRegistration> registrations = new HashMap();
+		Map<String, OAuth2ClientProperties.LoginClientRegistration> loginClientRegistrations = Binder
+				.get(environment).bind("spring.security.oauth2.client.registration.login",
+						STRING_LOGIN_REGISTRATION_MAP)
+				.orElse(Collections.emptyMap());
+		Map<String, OAuth2ClientProperties.AuthorizationCodeClientRegistration> authCodeClientRegistrations = Binder
+				.get(environment)
+				.bind("spring.security.oauth2.client.registration.authorizationcode",
+						STRING_AUTHORIZATIONCODE_REGISTRATION_MAP)
+				.orElse(Collections.emptyMap());
+		registrations.putAll(loginClientRegistrations);
+		registrations.putAll(authCodeClientRegistrations);
+		return registrations;
 	}
 
 }

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientProperties.java

@@ -44,31 +44,105 @@ public class OAuth2ClientProperties {
 	/**
 	 * OAuth client registrations.
 	 */
-	private final Map<String, Registration> registration = new HashMap<>();
+	private final Registration registration = new Registration();
 
 	public Map<String, Provider> getProvider() {
 		return this.provider;
 	}
 
-	public Map<String, Registration> getRegistration() {
+	public Registration getRegistration() {
 		return this.registration;
 	}
 
 	@PostConstruct
 	public void validate() {
-		this.getRegistration().values().forEach(this::validateRegistration);
+		this.getRegistration().getLogin().values().forEach(this::validateRegistration);
+		this.getRegistration().getAuthorizationCode().values()
+				.forEach(this::validateRegistration);
 	}
 
-	private void validateRegistration(Registration registration) {
+	private void validateRegistration(BaseClientRegistration registration) {
 		if (!StringUtils.hasText(registration.getClientId())) {
 			throw new IllegalStateException("Client id must not be empty.");
 		}
 	}
 
+	public static class Registration {
+
+		/**
+		 * OpenID Connect client registrations.
+		 */
+		private Map<String, LoginClientRegistration> login = new HashMap<>();
+
+		/**
+		 * OAuth2 authorization_code client registrations.
+		 */
+		private Map<String, AuthorizationCodeClientRegistration> authorizationCode = new HashMap<>();
+
+		public Map<String, LoginClientRegistration> getLogin() {
+			return this.login;
+		}
+
+		public void setLogin(Map<String, LoginClientRegistration> login) {
+			this.login = login;
+		}
+
+		public Map<String, AuthorizationCodeClientRegistration> getAuthorizationCode() {
+			return this.authorizationCode;
+		}
+
+		public void setAuthorizationCode(
+				Map<String, AuthorizationCodeClientRegistration> authorizationCode) {
+			this.authorizationCode = authorizationCode;
+		}
+
+	}
+
 	/**
-	 * A single client registration.
+	 * A single client registration for OpenID Connect login.
 	 */
-	public static class Registration {
+	public static class LoginClientRegistration extends BaseClientRegistration {
+
+		/**
+		 * Redirect URI. May be left blank when using a pre-defined provider.
+		 */
+		private String redirectUriTemplate;
+
+		public String getRedirectUriTemplate() {
+			return this.redirectUriTemplate;
+		}
+
+		public void setRedirectUriTemplate(String redirectUriTemplate) {
+			this.redirectUriTemplate = redirectUriTemplate;
+		}
+
+	}
+
+	/**
+	 * A single client registration for OAuth2 authorization_code flow.
+	 */
+	public static class AuthorizationCodeClientRegistration
+			extends BaseClientRegistration {
+
+		/**
+		 * Redirect URI for the registration.
+		 */
+		private String redirectUri;
+
+		public String getRedirectUri() {
+			return this.redirectUri;
+		}
+
+		public void setRedirectUri(String redirectUri) {
+			this.redirectUri = redirectUri;
+		}
+
+	}
+
+	/**
+	 * Base class for a single client registration.
+	 */
+	public static class BaseClientRegistration {
 
 		/**
 		 * Reference to the OAuth 2.0 provider to use. May reference an element from the
@@ -98,11 +172,6 @@ public class OAuth2ClientProperties {
 		 */
 		private String authorizationGrantType;
 
-		/**
-		 * Redirect URI. May be left blank when using a pre-defined provider.
-		 */
-		private String redirectUriTemplate;
-
 		/**
 		 * Authorization scopes. May be left blank when using a pre-defined provider.
 		 */
@@ -153,14 +222,6 @@ public class OAuth2ClientProperties {
 			this.authorizationGrantType = authorizationGrantType;
 		}
 
-		public String getRedirectUriTemplate() {
-			return this.redirectUriTemplate;
-		}
-
-		public void setRedirectUriTemplate(String redirectUriTemplate) {
-			this.redirectUriTemplate = redirectUriTemplate;
-		}
-
 		public Set<String> getScope() {
 			return this.scope;
 		}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesEnvironmentPostProcessor.java

+/*
+ * Copyright 2012-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.boot.autoconfigure.security.oauth2.client;
+
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import java.util.function.Supplier;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.context.config.ConfigFileApplicationListener;
+import org.springframework.boot.context.properties.bind.Bindable;
+import org.springframework.boot.context.properties.bind.Binder;
+import org.springframework.boot.context.properties.source.ConfigurationPropertyName;
+import org.springframework.boot.context.properties.source.ConfigurationPropertySource;
+import org.springframework.boot.context.properties.source.ConfigurationPropertySources;
+import org.springframework.boot.env.EnvironmentPostProcessor;
+import org.springframework.core.Ordered;
+import org.springframework.core.env.ConfigurableEnvironment;
+import org.springframework.core.env.MapPropertySource;
+
+/**
+ * {@link EnvironmentPostProcessor} that migrates legacy OAuth2 login client properties
+ * under the `spring.security.oauth2.client.login` prefix.
+ *
+ * @author Madhura Bhave
+ * @since 2.1.0
+ */
+public class OAuth2ClientPropertiesEnvironmentPostProcessor
+		implements EnvironmentPostProcessor, Ordered {
+
+	private static final Bindable<Map<String, OAuth2ClientProperties.LoginClientRegistration>> STRING_LEGACY_REGISTRATION_MAP = Bindable
+			.mapOf(String.class, OAuth2ClientProperties.LoginClientRegistration.class);
+
+	private static final String PREFIX = "spring.security.oauth2.client.registration";
+
+	private static final String LOGIN_REGISTRATION_PREFIX = PREFIX + ".login.";
+
+	private static final String UPDATED_PROPERTY_SOURCE_SUFFIX = "-updated-oauth-client";
+
+	private int order = ConfigFileApplicationListener.DEFAULT_ORDER + 1;
+
+	@Override
+	public void postProcessEnvironment(ConfigurableEnvironment environment,
+			SpringApplication application) {
+		environment.getPropertySources().forEach((propertySource) -> {
+			String name = propertySource.getName();
+			Iterable<ConfigurationPropertySource> sources = ConfigurationPropertySources
+					.from(propertySource);
+			ConfigurationPropertySource source = sources.iterator().next();
+			Binder binder = new Binder(sources);
+			Map<String, Object> map = new LinkedHashMap<>();
+			MapPropertySource updatedPropertySource = new MapPropertySource(
+					name + UPDATED_PROPERTY_SOURCE_SUFFIX, map);
+			Map<String, OAuth2ClientProperties.LoginClientRegistration> registrations = binder
+					.bind(PREFIX, STRING_LEGACY_REGISTRATION_MAP)
+					.orElse(Collections.emptyMap());
+			registrations.entrySet()
+					.forEach((entry) -> addProperties(entry, source, map));
+			if (!map.isEmpty()) {
+				environment.getPropertySources().addBefore(name, updatedPropertySource);
+			}
+		});
+	}
+
+	private void addProperties(
+			Map.Entry<String, OAuth2ClientProperties.LoginClientRegistration> entry,
+			ConfigurationPropertySource source, Map<String, Object> map) {
+		OAuth2ClientProperties.LoginClientRegistration registration = entry.getValue();
+		String registrationId = entry.getKey();
+		addProperty(registrationId, "client-id", registration::getClientId, map, source);
+		addProperty(registrationId, "client-secret", registration::getClientSecret, map,
+				source);
+		addProperty(registrationId, "client-name", registration::getClientName, map,
+				source);
+		addProperty(registrationId, "redirect-uri-template",
+				registration::getRedirectUriTemplate, map, source);
+		addProperty(registrationId, "authorization-grant-type",
+				registration::getAuthorizationGrantType, map, source);
+		addProperty(registrationId, "client-authentication-method",
+				registration::getClientAuthenticationMethod, map, source);
+		addProperty(registrationId, "provider", registration::getProvider, map, source);
+		addProperty(registrationId, "scope", registration::getScope, map, source);
+	}
+
+	private void addProperty(String registrationId, String property,
+			Supplier<Object> valueSupplier, Map<String, Object> map,
+			ConfigurationPropertySource source) {
+		String registrationKey = PREFIX + "." + registrationId + ".";
+		String loginRegistrationKey = LOGIN_REGISTRATION_PREFIX + registrationId + ".";
+		if (source.getConfigurationProperty(
+				ConfigurationPropertyName.of(registrationKey + property)) != null) {
+			map.put(loginRegistrationKey + property, valueSupplier.get());
+		}
+	}
+
+	@Override
+	public int getOrder() {
+		return this.order;
+	}
+
+}

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesRegistrationAdapter.java

@@ -20,7 +20,6 @@ import java.util.HashMap;
 import java.util.Map;
 
 import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties.Provider;
-import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties.Registration;
 import org.springframework.boot.context.properties.PropertyMapper;
 import org.springframework.boot.convert.ApplicationConversionService;
 import org.springframework.core.convert.ConversionException;
@@ -51,19 +50,35 @@ public final class OAuth2ClientPropertiesRegistrationAdapter {
 	public static Map<String, ClientRegistration> getClientRegistrations(
 			OAuth2ClientProperties properties) {
 		Map<String, ClientRegistration> clientRegistrations = new HashMap<>();
-		properties.getRegistration().forEach((key, value) -> clientRegistrations.put(key,
-				getClientRegistration(key, value, properties.getProvider())));
+		properties.getRegistration().getLogin()
+				.forEach((key, value) -> clientRegistrations.put(key,
+						getLoginClientRegistration(key, value,
+								properties.getProvider())));
+		properties.getRegistration().getAuthorizationCode()
+				.forEach((key, value) -> clientRegistrations.put(key,
+						getAuthorizationCodeClientRegistration(key, value,
+								properties.getProvider())));
 		return clientRegistrations;
 	}
 
-	private static ClientRegistration getClientRegistration(String registrationId,
-			Registration properties, Map<String, Provider> providers) {
+	private static ClientRegistration getAuthorizationCodeClientRegistration(
+			String registrationId,
+			OAuth2ClientProperties.AuthorizationCodeClientRegistration properties,
+			Map<String, Provider> providers) {
+		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+		Builder builder = getBuilder(map, registrationId, properties, providers);
+		map.from(properties::getRedirectUri).to(builder::redirectUriTemplate);
+		return builder.build();
+	}
+
+	private static Builder getBuilder(PropertyMapper map, String registrationId,
+			OAuth2ClientProperties.BaseClientRegistration properties,
+			Map<String, Provider> providers) {
 		Builder builder = getBuilderFromIssuerIfPossible(registrationId,
 				properties.getProvider(), providers);
 		if (builder == null) {
 			builder = getBuilder(registrationId, properties.getProvider(), providers);
 		}
-		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
 		map.from(properties::getClientId).to(builder::clientId);
 		map.from(properties::getClientSecret).to(builder::clientSecret);
 		map.from(properties::getClientAuthenticationMethod)
@@ -71,10 +86,18 @@ public final class OAuth2ClientPropertiesRegistrationAdapter {
 				.to(builder::clientAuthenticationMethod);
 		map.from(properties::getAuthorizationGrantType).as(AuthorizationGrantType::new)
 				.to(builder::authorizationGrantType);
-		map.from(properties::getRedirectUriTemplate).to(builder::redirectUriTemplate);
 		map.from(properties::getScope).as((scope) -> StringUtils.toStringArray(scope))
 				.to(builder::scope);
 		map.from(properties::getClientName).to(builder::clientName);
+		return builder;
+	}
+
+	private static ClientRegistration getLoginClientRegistration(String registrationId,
+			OAuth2ClientProperties.LoginClientRegistration properties,
+			Map<String, Provider> providers) {
+		PropertyMapper map = PropertyMapper.get().alwaysApplyingWhenNonNull();
+		Builder builder = getBuilder(map, registrationId, properties, providers);
+		map.from(properties::getRedirectUriTemplate).to(builder::redirectUriTemplate);
 		return builder.build();
 	}
 

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfiguration.java

@@ -60,7 +60,8 @@ class OAuth2WebSecurityConfiguration {
 
 		@Override
 		protected void configure(HttpSecurity http) throws Exception {
-			http.authorizeRequests().anyRequest().authenticated().and().oauth2Login();
+			http.authorizeRequests().anyRequest().authenticated().and().oauth2Login()
+					.and().oauth2Client().authorizationCodeGrant();
 		}
 
 	}

spring-boot-project/spring-boot-autoconfigure/src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -546,6 +546,15 @@
       "name": "spring.session.hazelcast.flush-mode",
       "defaultValue": "on-save"
     },
+    {
+      "name" : "spring.security.oauth2.client.registration",
+      "type" : "java.util.Map<java.lang.String,org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties.LoginClientRegistration>",
+      "description" : "Maps client registration-id to a client registration.",
+      "deprecation" : {
+        "replacement" : "spring.security.oauth2.client.registration.login",
+        "level" : "warning"
+      }
+    },
     {
       "name": "spring.session.servlet.filter-dispatcher-types",
       "defaultValue": [

spring-boot-project/spring-boot-autoconfigure/src/main/resources/META-INF/spring.factories

@@ -7,6 +7,10 @@ org.springframework.boot.autoconfigure.logging.ConditionEvaluationReportLoggingL
 org.springframework.context.ApplicationListener=\
 org.springframework.boot.autoconfigure.BackgroundPreinitializer
 
+# Environment Post Processors
+org.springframework.boot.env.EnvironmentPostProcessor=\
+org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientPropertiesEnvironmentPostProcessor
+
 # Auto Configuration Import Listeners
 org.springframework.boot.autoconfigure.AutoConfigurationImportListener=\
 org.springframework.boot.autoconfigure.condition.ConditionEvaluationReportAutoConfigurationImportListener

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesEnvironmentPostProcessorTests.java

+/*
+ * Copyright 2012-2018 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.boot.autoconfigure.security.oauth2.client;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import org.springframework.core.env.MapPropertySource;
+import org.springframework.core.env.MutablePropertySources;
+import org.springframework.core.env.StandardEnvironment;
+import org.springframework.core.env.SystemEnvironmentPropertySource;
+import org.springframework.mock.env.MockEnvironment;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+/**
+ * Tests for {@link OAuth2ClientPropertiesEnvironmentPostProcessor}.
+ *
+ * @author Madhura Bhave
+ */
+public class OAuth2ClientPropertiesEnvironmentPostProcessorTests {
+
+	private OAuth2ClientPropertiesEnvironmentPostProcessor postProcessor = new OAuth2ClientPropertiesEnvironmentPostProcessor();
+
+	private MockEnvironment environment;
+
+	private static final String REGISTRATION_PREFIX = "spring.security.oauth2.client.registration.github-client.";
+
+	private static final String ENVIRONMENT_REGISTRATION_PREFIX = "SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_GITHUB-CLIENT_";
+
+	private static final String LOGIN_REGISTRATION_PREFIX = "spring.security.oauth2.client.registration.login.github-client.";
+
+	@Before
+	public void setup() {
+		this.environment = new MockEnvironment();
+	}
+
+	@Test
+	public void postProcessorWhenLegacyPropertiesShouldConvert() {
+		Map<String, Object> properties = new HashMap<>();
+		properties.put(REGISTRATION_PREFIX + "client-id", "my-client-id");
+		properties.put(REGISTRATION_PREFIX + "client-secret", "my-client-secret");
+		properties.put(REGISTRATION_PREFIX + "redirect-uri-template",
+				"http://my-redirect-uri.com");
+		properties.put(REGISTRATION_PREFIX + "provider", "github");
+		properties.put(REGISTRATION_PREFIX + "scope", "user");
+		properties.put(REGISTRATION_PREFIX + "client-name", "my-client-name");
+		properties.put(REGISTRATION_PREFIX + "authorization-grant-type",
+				"authorization_code");
+		properties.put(REGISTRATION_PREFIX + "client-authentication-method", "FORM");
+		MapPropertySource source = new MapPropertySource("test", properties);
+		this.environment.getPropertySources().addFirst(source);
+		this.postProcessor.postProcessEnvironment(this.environment, null);
+		assertPropertyMigration();
+	}
+
+	@Test
+	public void postProcessorDoesNotCopyMissingProperties() {
+		Map<String, Object> properties = new HashMap<>();
+		properties.put(REGISTRATION_PREFIX + "client-id", "my-client-id");
+		MapPropertySource source = new MapPropertySource("test", properties);
+		this.environment.getPropertySources().addFirst(source);
+		this.postProcessor.postProcessEnvironment(this.environment, null);
+		assertThat(this.environment.getProperty(LOGIN_REGISTRATION_PREFIX + "client-id"))
+				.isEqualTo("my-client-id");
+		assertThat(
+				this.environment.getProperty(LOGIN_REGISTRATION_PREFIX + "client-secret"))
+						.isNull();
+	}
+
+	@Test
+	public void postProcessorWhenLegacyEnvironmentVariablesPropertiesShouldConvert() {
+		Map<String, Object> properties = new HashMap<>();
+		properties.put(ENVIRONMENT_REGISTRATION_PREFIX + "CLIENTID", "my-client-id");
+		properties.put(ENVIRONMENT_REGISTRATION_PREFIX + "CLIENTSECRET",
+				"my-client-secret");
+		properties.put(ENVIRONMENT_REGISTRATION_PREFIX + "REDIRECTURITEMPLATE",
+				"http://my-redirect-uri.com");
+		properties.put(ENVIRONMENT_REGISTRATION_PREFIX + "PROVIDER", "github");
+		properties.put(ENVIRONMENT_REGISTRATION_PREFIX + "SCOPE", "user");
+		properties.put(ENVIRONMENT_REGISTRATION_PREFIX + "CLIENTNAME", "my-client-name");
+		properties.put(ENVIRONMENT_REGISTRATION_PREFIX + "AUTHORIZATIONGRANTTYPE",
+				"authorization_code");
+		properties.put(ENVIRONMENT_REGISTRATION_PREFIX + "CLIENTAUTHENTICATIONMETHOD",
+				"FORM");
+		SystemEnvironmentPropertySource source = new SystemEnvironmentPropertySource(
+				"test-" + StandardEnvironment.SYSTEM_ENVIRONMENT_PROPERTY_SOURCE_NAME,
+				properties);
+		this.environment.getPropertySources().addFirst(source);
+		this.postProcessor.postProcessEnvironment(this.environment, null);
+		assertPropertyMigration();
+	}
+
+	@Test
+	public void postProcessorWhenNewPropertiesShouldDoNothing() {
+		Map<String, Object> properties = new HashMap<>();
+		properties.put(LOGIN_REGISTRATION_PREFIX + "client-id", "my-client-id");
+		properties.put(LOGIN_REGISTRATION_PREFIX + "client-secret", "my-client-secret");
+		properties.put(LOGIN_REGISTRATION_PREFIX + "redirect-uri-template",
+				"http://my-redirect-uri.com");
+		properties.put(LOGIN_REGISTRATION_PREFIX + "provider", "github");
+		properties.put(LOGIN_REGISTRATION_PREFIX + "scope", "user");
+		properties.put(LOGIN_REGISTRATION_PREFIX + "client-name", "my-client-name");
+		properties.put(LOGIN_REGISTRATION_PREFIX + "authorization-grant-type",
+				"authorization_code");
+		properties.put(LOGIN_REGISTRATION_PREFIX + "client-authentication-method",
+				"FORM");
+		MapPropertySource source = new MapPropertySource("test", properties);
+		this.environment.getPropertySources().addFirst(source);
+		MutablePropertySources propertySources = new MutablePropertySources(
+				this.environment.getPropertySources());
+		this.postProcessor.postProcessEnvironment(this.environment, null);
+		assertPropertyMigration();
+		assertThat(this.environment.getPropertySources())
+				.containsExactlyElementsOf(propertySources);
+	}
+
+	private void assertPropertyMigration() {
+		assertThat(this.environment.getProperty(LOGIN_REGISTRATION_PREFIX + "client-id"))
+				.isEqualTo("my-client-id");
+		assertThat(
+				this.environment.getProperty(LOGIN_REGISTRATION_PREFIX + "client-secret"))
+						.isEqualTo("my-client-secret");
+		assertThat(this.environment
+				.getProperty(LOGIN_REGISTRATION_PREFIX + "redirect-uri-template"))
+						.isEqualTo("http://my-redirect-uri.com");
+		assertThat(this.environment.getProperty(LOGIN_REGISTRATION_PREFIX + "provider"))
+				.isEqualTo("github");
+		assertThat(this.environment.getProperty(LOGIN_REGISTRATION_PREFIX + "scope"))
+				.isEqualTo("user");
+		assertThat(
+				this.environment.getProperty(LOGIN_REGISTRATION_PREFIX + "client-name"))
+						.isEqualTo("my-client-name");
+		assertThat(this.environment
+				.getProperty(LOGIN_REGISTRATION_PREFIX + "authorization-grant-type"))
+						.isEqualTo("authorization_code");
+		assertThat(this.environment
+				.getProperty(LOGIN_REGISTRATION_PREFIX + "client-authentication-method"))
+						.isEqualTo("FORM");
+	}
+
+}

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesTests.java

@@ -20,6 +20,9 @@ import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
 
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties.AuthorizationCodeClientRegistration;
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties.LoginClientRegistration;
+
 /**
  * Tests for {@link OAuth2ClientProperties}.
  *
@@ -34,11 +37,11 @@ public class OAuth2ClientPropertiesTests {
 	public ExpectedException thrown = ExpectedException.none();
 
 	@Test
-	public void clientIdAbsentThrowsException() {
-		OAuth2ClientProperties.Registration registration = new OAuth2ClientProperties.Registration();
+	public void clientIdAbsentForLoginClientsThrowsException() {
+		LoginClientRegistration registration = new LoginClientRegistration();
 		registration.setClientSecret("secret");
 		registration.setProvider("google");
-		this.properties.getRegistration().put("foo", registration);
+		this.properties.getRegistration().getLogin().put("foo", registration);
 		this.thrown.expect(IllegalStateException.class);
 		this.thrown.expectMessage("Client id must not be empty.");
 		this.properties.validate();
@@ -46,10 +49,30 @@ public class OAuth2ClientPropertiesTests {
 
 	@Test
 	public void clientSecretAbsentShouldNotThrowException() {
-		OAuth2ClientProperties.Registration registration = new OAuth2ClientProperties.Registration();
+		LoginClientRegistration registration = new LoginClientRegistration();
+		registration.setClientId("foo");
+		registration.setProvider("google");
+		this.properties.getRegistration().getLogin().put("foo", registration);
+		this.properties.validate();
+	}
+
+	@Test
+	public void clientIdAbsentForAuthorizationCodeClientsThrowsException() {
+		AuthorizationCodeClientRegistration registration = new AuthorizationCodeClientRegistration();
+		registration.setClientSecret("secret");
+		registration.setProvider("google");
+		this.properties.getRegistration().getAuthorizationCode().put("foo", registration);
+		this.thrown.expect(IllegalStateException.class);
+		this.thrown.expectMessage("Client id must not be empty.");
+		this.properties.validate();
+	}
+
+	@Test
+	public void clientSecretAbsentForAuthorizationCodeClientDoesNotThrowException() {
+		AuthorizationCodeClientRegistration registration = new AuthorizationCodeClientRegistration();
 		registration.setClientId("foo");
 		registration.setProvider("google");
-		this.properties.getRegistration().put("foo", registration);
+		this.properties.getRegistration().getAuthorizationCode().put("foo", registration);
 		this.properties.validate();
 	}
 

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientAutoConfigurationTests.java

@@ -37,7 +37,7 @@ public class ReactiveOAuth2ClientAutoConfigurationTests {
 			.withConfiguration(
 					AutoConfigurations.of(ReactiveOAuth2ClientAutoConfiguration.class));
 
-	private static final String REGISTRATION_PREFIX = "spring.security.oauth2.client.registration";
+	private static final String REGISTRATION_PREFIX = "spring.security.oauth2.client.registration.login";
 
 	@Test
 	public void autoConfigurationShouldImportConfigurations() {

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/reactive/ReactiveOAuth2ClientRegistrationRepositoryConfigurationTests.java

@@ -33,7 +33,7 @@ public class ReactiveOAuth2ClientRegistrationRepositoryConfigurationTests {
 
 	private final ApplicationContextRunner contextRunner = new ApplicationContextRunner();
 
-	private static final String REGISTRATION_PREFIX = "spring.security.oauth2.client.registration";
+	private static final String REGISTRATION_PREFIX = "spring.security.oauth2.client.registration.login";
 
 	@Test
 	public void clientRegistrationRepositoryBeanShouldNotBeCreatedWhenPropertiesAbsent() {

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2ClientRegistrationRepositoryConfigurationTests.java

@@ -33,7 +33,7 @@ public class OAuth2ClientRegistrationRepositoryConfigurationTests {
 
 	private final ApplicationContextRunner contextRunner = new ApplicationContextRunner();
 
-	private static final String REGISTRATION_PREFIX = "spring.security.oauth2.client.registration";
+	private static final String REGISTRATION_PREFIX = "spring.security.oauth2.client.registration.login";
 
 	@Test
 	public void clientRegistrationRepositoryBeanShouldNotBeCreatedWhenPropertiesAbsent() {

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2WebSecurityConfigurationTests.java

@@ -39,7 +39,7 @@ import org.springframework.security.oauth2.client.registration.ClientRegistratio
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
 import org.springframework.security.oauth2.client.web.AuthenticatedPrincipalOAuth2AuthorizedClientRepository;
-import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationCodeGrantFilter;
 import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
 import org.springframework.security.oauth2.client.web.OAuth2LoginAuthenticationFilter;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
@@ -68,7 +68,9 @@ public class OAuth2WebSecurityConfigurationTests {
 					ClientRegistrationRepository expected = context
 							.getBean(ClientRegistrationRepository.class);
 					ClientRegistrationRepository actual = (ClientRegistrationRepository) ReflectionTestUtils
-							.getField(getAuthCodeFilters(context).get(0),
+							.getField(
+									getFilters(context,
+											OAuth2LoginAuthenticationFilter.class).get(0),
 									"clientRegistrationRepository");
 					assertThat(isEqual(expected.findByRegistrationId("first"),
 							actual.findByRegistrationId("first"))).isTrue();
@@ -78,11 +80,34 @@ public class OAuth2WebSecurityConfigurationTests {
 	}
 
 	@Test
-	public void securityConfigurerBacksOffWhenClientRegistrationBeanAbsent() {
+	public void securityConfigurerConfiguresAuthorizationCode() {
 		this.contextRunner
-				.withUserConfiguration(TestConfig.class,
+				.withUserConfiguration(ClientRegistrationRepositoryConfiguration.class,
 						OAuth2WebSecurityConfiguration.class)
-				.run((context) -> assertThat(getAuthCodeFilters(context)).isEmpty());
+				.run((context) -> {
+					ClientRegistrationRepository expected = context
+							.getBean(ClientRegistrationRepository.class);
+					ClientRegistrationRepository actual = (ClientRegistrationRepository) ReflectionTestUtils
+							.getField(getFilters(context,
+									OAuth2AuthorizationCodeGrantFilter.class).get(0),
+									"clientRegistrationRepository");
+					assertThat(isEqual(expected.findByRegistrationId("first"),
+							actual.findByRegistrationId("first"))).isTrue();
+					assertThat(isEqual(expected.findByRegistrationId("second"),
+							actual.findByRegistrationId("second"))).isTrue();
+				});
+	}
+
+	@Test
+	public void securityConfigurerBacksOffWhenClientRegistrationBeanAbsent() {
+		this.contextRunner.withUserConfiguration(TestConfig.class,
+				OAuth2WebSecurityConfiguration.class).run((context) -> {
+					assertThat(getFilters(context, OAuth2LoginAuthenticationFilter.class))
+							.isEmpty();
+					assertThat(
+							getFilters(context, OAuth2AuthorizationCodeGrantFilter.class))
+									.isEmpty();
+				});
 	}
 
 	@Test
@@ -107,7 +132,11 @@ public class OAuth2WebSecurityConfigurationTests {
 	public void securityConfigurerBacksOffWhenOtherWebSecurityAdapterPresent() {
 		this.contextRunner.withUserConfiguration(TestWebSecurityConfigurerConfig.class,
 				OAuth2WebSecurityConfiguration.class).run((context) -> {
-					assertThat(getAuthCodeFilters(context)).isEmpty();
+					assertThat(getFilters(context, OAuth2LoginAuthenticationFilter.class))
+							.isEmpty();
+					assertThat(
+							getFilters(context, OAuth2AuthorizationCodeGrantFilter.class))
+									.isEmpty();
 					assertThat(context).getBean(OAuth2AuthorizedClientService.class)
 							.isNotNull();
 				});
@@ -137,19 +166,14 @@ public class OAuth2WebSecurityConfigurationTests {
 	}
 
 	@SuppressWarnings("unchecked")
-	private List<Filter> getAuthCodeFilters(AssertableApplicationContext context) {
+	private List<Filter> getFilters(AssertableApplicationContext context,
+			Class<? extends Filter> filter) {
 		FilterChainProxy filterChain = (FilterChainProxy) context
 				.getBean(BeanIds.SPRING_SECURITY_FILTER_CHAIN);
 		List<SecurityFilterChain> filterChains = filterChain.getFilterChains();
 		List<Filter> filters = (List<Filter>) ReflectionTestUtils
 				.getField(filterChains.get(0), "filters");
-		List<Filter> oauth2Filters = filters.stream()
-				.filter((f) -> f instanceof OAuth2LoginAuthenticationFilter
-						|| f instanceof OAuth2AuthorizationRequestRedirectFilter)
-				.collect(Collectors.toList());
-		return oauth2Filters.stream()
-				.filter((f) -> f instanceof OAuth2LoginAuthenticationFilter)
-				.collect(Collectors.toList());
+		return filters.stream().filter(filter::isInstance).collect(Collectors.toList());
 	}
 
 	private boolean isEqual(ClientRegistration reg1, ClientRegistration reg2) {

spring-boot-samples/spring-boot-sample-oauth2-client/src/main/resources/application.yml

@@ -3,23 +3,32 @@ spring:
     oauth2:
       client:
         registration:
-          github-client-1:
-            client-id: ${APP-CLIENT-ID}
-            client-secret: ${APP-CLIENT-SECRET}
-            client-name: Github user
-            provider: github
-            scope: user
-            redirect-uri-template: http://localhost:8080/login/oauth2/code/github
-          github-client-2:
-            client-id: ${APP-CLIENT-ID}
-            client-secret: ${APP-CLIENT-SECRET}
-            client-name: Github email
-            provider: github
-            scope: user:email
-            redirect-uri-template: http://localhost:8080/login/oauth2/code/github
-          yahoo-oidc:
-            client-id: ${YAHOO-CLIENT-ID}
-            client-secret: ${YAHOO-CLIENT-SECRET}
+          login:
+            github-client-1:
+              client-id: ${APP-CLIENT-ID}
+              client-secret: ${APP-CLIENT-SECRET}
+              client-name: Github user
+              provider: github
+              scope: user
+              redirect-uri-template: http://localhost:8080/login/oauth2/code/github
+            github-client-2:
+              client-id: ${APP-CLIENT-ID}
+              client-secret: ${APP-CLIENT-SECRET}
+              client-name: Github email
+              provider: github
+              scope: user:email
+              redirect-uri-template: http://localhost:8080/login/oauth2/code/github
+            yahoo-oidc:
+              client-id: a
+              client-secret: b
+          authorization_code:
+            github-repos:
+              client-id: ${APP-CLIENT-ID}
+              client-secret: ${APP-CLIENT-SECRET}
+              scope: public_repo
+              redirect-uri: "{baseUrl}/github-repos"
+              provider: github
+              client-name: GitHub Repositories
         provider:
           yahoo-oidc:
             issuer-uri: https://api.login.yahoo.com/
\ No newline at end of file

spring-boot-samples/spring-boot-sample-oauth2-client/src/test/java/sample/oauth2/client/SampleOAuth2ClientApplicationTests.java

@@ -53,7 +53,7 @@ public class SampleOAuth2ClientApplicationTests {
 	}
 
 	@Test
-	public void loginShouldHaveBothOAuthClientsToChooseFrom() {
+	public void loginShouldHaveBothOAuth2LoginClientsToChooseFrom() {
 		ResponseEntity<String> entity = this.restTemplate.getForEntity("/login",
 				String.class);
 		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
@@ -62,4 +62,12 @@ public class SampleOAuth2ClientApplicationTests {
 		assertThat(entity.getBody()).contains("/oauth2/authorization/github-client-2");
 	}
 
+	@Test
+	public void authorizationCodeClientIsPresent() {
+		ResponseEntity<String> entity = this.restTemplate.getForEntity("/login",
+				String.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
+		assertThat(entity.getBody()).contains("/oauth2/authorization/github-repos");
+	}
+
 }

spring-boot-samples/spring-boot-sample-reactive-oauth2-client/src/main/resources/application.yml

@@ -3,23 +3,24 @@ spring:
     oauth2:
       client:
         registration:
-          github-client-1:
-            client-id: ${APP-CLIENT-ID}
-            client-secret: ${APP-CLIENT-SECRET}
-            client-name: Github user
-            provider: github
-            scope: user
-            redirect-uri-template: http://localhost:8080/login/oauth2/code/github
-          github-client-2:
-            client-id: ${APP-CLIENT-ID}
-            client-secret: ${APP-CLIENT-SECRET}
-            client-name: Github email
-            provider: github
-            scope: user:email
-            redirect-uri-template: http://localhost:8080/login/oauth2/code/github
-          yahoo-oidc:
-            client-id: ${YAHOO-CLIENT-ID}
-            client-secret: ${YAHOO-CLIENT-SECRET}
+          login:
+            github-client-1:
+              client-id: ${APP-CLIENT-ID}
+              client-secret: ${APP-CLIENT-SECRET}
+              client-name: Github user
+              provider: github
+              scope: user
+              redirect-uri-template: http://localhost:8080/login/oauth2/code/github
+            github-client-2:
+              client-id: ${APP-CLIENT-ID}
+              client-secret: ${APP-CLIENT-SECRET}
+              client-name: Github email
+              provider: github
+              scope: user:email
+              redirect-uri-template: http://localhost:8080/login/oauth2/code/github
+            yahoo-oidc:
+              client-id: ${YAHOO-CLIENT-ID}
+              client-secret: ${YAHOO-CLIENT-SECRET}
         provider:
           yahoo-oidc:
             issuer-uri: https://api.login.yahoo.com/
\ No newline at end of file