Encoded password does not look like BCrypt

BCryptPasswordEncoder shows this warning when it fails to match a raw password with an encoded password.

The hashed password might be “$2b” or “$2y” now.

And there is a bug in Spring Security that has a regex always looking for “$2a”. Put a debug point at the matches() function in the BCryptPasswordEncoder.class.

When oauth2 dependecncies moved to cloud, I started facing this issue. Earlier it was part of security framework :

<dependency>
    <groupId>org.springframework.security.oauth</groupId>
    <artifactId>spring-security-oauth2</artifactId>
</dependency>

Now it is part of cloud framework :

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-oauth2</artifactId>
</dependency>

So if you are using cloud dependency (Finchley.RELEASE) then you may need to encode the secret like below :

@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
    clients
            .inMemory()
            .withClient("clientapp")
            .authorizedGrantTypes("password","refresh_token")
            .authorities("USER")
            .scopes("read", "write")
            .resourceIds(RESOURCE_ID)
            .secret(passwordEncoder.encode("SECRET"));
}

The PasswordEncoder should be set like this:

@Bean
public PasswordEncoder passwordEncoder() {
    return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}

Can you double check your client secret is encoded?

@Override
public void configure(ClientDetailsServiceConfigurer configurer) throws Exception {
    configurer
            .inMemory()
            .withClient(clientId)
            .secret(passwordEncoder.encode(clientSecret))
            .authorizedGrantTypes(grantType)
            .scopes(scopeRead, scopeWrite)
            .resourceIds(resourceIds);
}