OAuth2TokenFormat' as a subtype of `java.lang.Object`: no such class found

Question

hi falks i just migrate from springboot 2.7.* to springboot 3. i migrate springboot oauth2 authorization server to from 0.3.1 to 1.0.1 , it was running well before but i got somme issue i think from juckson data bind. this is my configuration server. the app run well, i can even authentify. but when i call then authorization end point it gives parser error.

this is my configuration:

@Configuration(proxyBeanMethods = false)
@RequiredArgsConstructor
public class AuthorizationServerConfig {
   @Bean
   @Order(1)
   public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
    OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
    http.getConfigurer(OAuth2AuthorizationServerConfigurer.class).oidc(Customizer.withDefaults());
    http .addFilterBefore(new CORSFilter(), ChannelProcessingFilter.class);
    http.exceptionHandling(exceptions -> exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login")));
    http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
    return http.build();
}

@Bean
public OAuth2AuthorizationConsentService authorizationConsentService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) {
    return new JdbcOAuth2AuthorizationConsentService(jdbcTemplate, registeredClientRepository);
}

@Bean
public RegisteredClientRepository registeredClientRepository(JdbcTemplate jdbcTemplate) {
    return new JdbcRegisteredClientRepository(jdbcTemplate);
}

@Bean
public JWKSource<SecurityContext> jwkSource() {
    RSAKey rsaKey = Jwks.generateRsa();
    JWKSet jwkSet = new JWKSet(rsaKey);
    return (jwkSelector, securityContext) -> jwkSelector.select(jwkSet);
}

@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
    return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}

@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public AuthorizationServerSettings authorizationServerSettings() {
    return AuthorizationServerSettings.builder()
            .authorizationEndpoint("/oauth/authorize")
            .tokenEndpoint("/oauth/token")
            .jwkSetEndpoint("/oauth/jwks")
            .tokenRevocationEndpoint("/oauth/revoke")
            .tokenIntrospectionEndpoint("/oauth/introspect")
            .oidcClientRegistrationEndpoint("/connect/register")
            .oidcUserInfoEndpoint("/userinfo")
            .build();
}

@Bean
public TokenSettings tokenSettings() {
    return TokenSettings.builder().build();
}

@Bean
public ClientSettings clientSettings(){
    return ClientSettings.builder()
            .requireAuthorizationConsent(false)
            .requireProofKey(false)
          .build();
}


@Bean
@Primary
public OAuth2AuthorizationService authorizationService(JdbcTemplate jdbcTemplate, RegisteredClientRepository registeredClientRepository) {
    JdbcOAuth2AuthorizationService authorizationService = new JdbcOAuth2AuthorizationService(jdbcTemplate, registeredClientRepository);
    JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper rowMapper = new JdbcOAuth2AuthorizationService.OAuth2AuthorizationRowMapper(registeredClientRepository);
    rowMapper.setObjectMapper(objectMapper());
    authorizationService.setAuthorizationRowMapper(rowMapper);
    return authorizationService;
}

@Bean
@Primary
public ObjectMapper objectMapper() {
    ClassLoader classLoader = JdbcOAuth2AuthorizationService.class.getClassLoader();
    ObjectMapper objectMapper = new ObjectMapper();
    objectMapper.registerModules(new CoreJackson2Module());
    objectMapper.registerModules(SecurityJackson2Modules.getModules(classLoader));
    objectMapper.registerModule(new OAuth2AuthorizationServerJackson2Module());
    objectMapper.registerModule(new WebJackson2Module());
    return objectMapper;
}
}

this is the error:

java.lang.IllegalArgumentException: Could not resolve type id 
'org.springframework.security.oauth2.core.OAuth2TokenFormat' as a subtype of 
`java.lang.Object`: no such class found at [Source: UNKNOWN; byte offset: #UNKNOWN] 
at 

Answer 1

Just solved this.

org.springframework.security.oauth2.core.OAuth2TokenFormat (0.3.1) has moved to org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat (1.0.1).

I found the (old) canonical class name in the authorization server database created with 0.3.1, each client entry in table oauth2_registered_client column token_settings contains it. OAuth2TokenFormat instances are created on reading client entries based on the canonical name in field values. Obviously this can't work anymore after moving the class.

The solution is to make sure the field entries contain the correct class name, i.e. org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat

You can either

1. replace old with new canonical class name in all client entries

or

2. have your client entries recreated by deleting all table entries, e.g. TRUNCATE `oauth2_registered_client`;)

After that the authorization server should start.

Good Luck!