Fix NotSerializableException in

SerializationSamples
Explicitly configure Instancio for OneTimeTokenAuthenticationToken in SerializationSamples.java.
This ensures that the generated test instances use a valid, serializable principal (null) instead of the default Object() which causes serialization failures.

Author: 023-dev

config/src/test/java/org/springframework/security/SerializationSamples.java

@@ -367,10 +367,9 @@ final class SerializationSamples {
 		generatorByClassName.put(ClientAuthorizationRequiredException.class,
 				(r) -> new ClientAuthorizationRequiredException("id"));
 		generatorByClassName
-				.put(OAuth2AuthorizedClientRefreshedEvent.class, (r) -> new OAuth2AuthorizedClientRefreshedEvent(
-						TestOAuth2AccessTokenResponses.accessTokenResponse().build(),
-						new OAuth2AuthorizedClient(clientRegistration, "principal",
-								TestOAuth2AccessTokens.noScopes())));
+			.put(OAuth2AuthorizedClientRefreshedEvent.class, (r) -> new OAuth2AuthorizedClientRefreshedEvent(
+					TestOAuth2AccessTokenResponses.accessTokenResponse().build(),
+					new OAuth2AuthorizedClient(clientRegistration, "principal", TestOAuth2AccessTokens.noScopes())));
 		generatorByClassName.put(OidcUserRefreshedEvent.class,
 				(r) -> new OidcUserRefreshedEvent(TestOAuth2AccessTokenResponses.accessTokenResponse().build(),
 						TestOidcUsers.create(), TestOidcUsers.create(), authentication));
@@ -418,28 +417,28 @@ final class SerializationSamples {
 				(r) -> applyDetails(new DPoPAuthenticationToken("token", "proof", "method", "uri")));
 		generatorByClassName.put(OAuth2ProtectedResourceMetadata.class,
 				(r) -> OAuth2ProtectedResourceMetadata.builder()
-						.resource("https://localhost/resource")
-						.authorizationServer("https://localhost/authorizationServer")
-						.scope("scope")
-						.bearerMethod("bearerMethod")
-						.resourceName("resourceName")
-						.tlsClientCertificateBoundAccessTokens(true)
-						.build());
+					.resource("https://localhost/resource")
+					.authorizationServer("https://localhost/authorizationServer")
+					.scope("scope")
+					.bearerMethod("bearerMethod")
+					.resourceName("resourceName")
+					.tlsClientCertificateBoundAccessTokens(true)
+					.build());
 
 		// oauth2-authorization-server
 		RegisteredClient registeredClient = TestRegisteredClients.registeredClient().build();
 		OAuth2Authorization authorization = TestOAuth2Authorizations.authorization(registeredClient).build();
 		OAuth2AuthorizationRequest authorizationRequest = authorization
-				.getAttribute(OAuth2AuthorizationRequest.class.getName());
+			.getAttribute(OAuth2AuthorizationRequest.class.getName());
 		Authentication principal = authorization.getAttribute(Principal.class.getName());
 		generatorByClassName.put(RegisteredClient.class, (r) -> registeredClient);
 		generatorByClassName.put(OAuth2Authorization.class, (r) -> authorization);
 		generatorByClassName.put(OAuth2Authorization.Token.class, (r) -> authorization.getAccessToken());
 		generatorByClassName.put(OAuth2AuthorizationConsent.class,
 				(r) -> OAuth2AuthorizationConsent.withId("registeredClientId", "principalName")
-						.scope("scope1")
-						.scope("scope2")
-						.build());
+					.scope("scope1")
+					.scope("scope2")
+					.build());
 		generatorByClassName.put(OAuth2AuthorizationCodeRequestAuthenticationToken.class, (r) -> {
 			OAuth2AuthorizationCodeRequestAuthenticationToken authenticationToken = new OAuth2AuthorizationCodeRequestAuthenticationToken(
 					"authorizationUri", "clientId", principal, "redirectUri", "state", authorizationRequest.getScopes(),
@@ -500,10 +499,10 @@ final class SerializationSamples {
 			return authenticationToken;
 		});
 		OAuth2ClientRegistration oauth2ClientRegistration = OAuth2ClientRegistration.builder()
-				.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
-				.scope("scope1")
-				.redirectUri("https://localhost/oauth2/callback")
-				.build();
+			.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
+			.scope("scope1")
+			.redirectUri("https://localhost/oauth2/callback")
+			.build();
 		generatorByClassName.put(OAuth2ClientRegistration.class, (r) -> oauth2ClientRegistration);
 		generatorByClassName.put(OAuth2ClientRegistrationAuthenticationToken.class, (r) -> {
 			OAuth2ClientRegistrationAuthenticationToken authenticationToken = new OAuth2ClientRegistrationAuthenticationToken(
@@ -512,10 +511,10 @@ final class SerializationSamples {
 			return authenticationToken;
 		});
 		OidcClientRegistration oidcClientRegistration = OidcClientRegistration.builder()
-				.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
-				.scope("scope1")
-				.redirectUri("https://localhost/oauth2/callback")
-				.build();
+			.grantType(AuthorizationGrantType.AUTHORIZATION_CODE.getValue())
+			.scope("scope1")
+			.redirectUri("https://localhost/oauth2/callback")
+			.build();
 		generatorByClassName.put(OidcClientRegistration.class, (r) -> oidcClientRegistration);
 		generatorByClassName.put(OidcClientRegistrationAuthenticationToken.class, (r) -> {
 			OidcClientRegistrationAuthenticationToken authenticationToken = new OidcClientRegistrationAuthenticationToken(
@@ -532,9 +531,9 @@ final class SerializationSamples {
 		});
 		generatorByClassName.put(OidcLogoutAuthenticationToken.class, (r) -> {
 			OidcIdToken idToken = OidcIdToken.withTokenValue("tokenValue")
-					.issuedAt(Instant.now())
-					.expiresAt(Instant.now().plusSeconds(60))
-					.build();
+				.issuedAt(Instant.now())
+				.expiresAt(Instant.now().plusSeconds(60))
+				.build();
 			OidcLogoutAuthenticationToken authenticationToken = new OidcLogoutAuthenticationToken(idToken, principal,
 					"sessionId", "clientId", "postLogoutRedirectUri", "state");
 			authenticationToken.setDetails(details);
@@ -556,21 +555,21 @@ final class SerializationSamples {
 		});
 		generatorByClassName.put(OAuth2AuthorizationServerMetadata.class,
 				(r) -> OAuth2AuthorizationServerMetadata.builder()
-						.issuer("https://localhost")
-						.authorizationEndpoint("https://localhost/oauth2/authorize")
-						.tokenEndpoint("https://localhost/oauth2/token")
-						.responseType("code")
-						.build());
+					.issuer("https://localhost")
+					.authorizationEndpoint("https://localhost/oauth2/authorize")
+					.tokenEndpoint("https://localhost/oauth2/token")
+					.responseType("code")
+					.build());
 		generatorByClassName.put(OidcProviderConfiguration.class,
 				(r) -> OidcProviderConfiguration.builder()
-						.issuer("https://localhost")
-						.authorizationEndpoint("https://localhost/oauth2/authorize")
-						.tokenEndpoint("https://localhost/oauth2/token")
-						.jwkSetUrl("https://localhost/oauth2/jwks")
-						.responseType("code")
-						.subjectType("subjectType")
-						.idTokenSigningAlgorithm("RS256")
-						.build());
+					.issuer("https://localhost")
+					.authorizationEndpoint("https://localhost/oauth2/authorize")
+					.tokenEndpoint("https://localhost/oauth2/token")
+					.jwkSetUrl("https://localhost/oauth2/jwks")
+					.responseType("code")
+					.subjectType("subjectType")
+					.idTokenSigningAlgorithm("RS256")
+					.build());
 		generatorByClassName.put(OAuth2TokenType.class, (r) -> OAuth2TokenType.ACCESS_TOKEN);
 		generatorByClassName.put(OAuth2TokenFormat.class, (r) -> OAuth2TokenFormat.SELF_CONTAINED);
 		generatorByClassName.put(AuthorizationServerSettings.class,
@@ -729,10 +728,10 @@ final class SerializationSamples {
 		Saml2Authentication saml2 = TestSaml2Authentications.authentication();
 		generatorByClassName.put(Saml2Authentication.class, (r) -> applyDetails(saml2));
 		Saml2ResponseAssertionAccessor assertion = Saml2ResponseAssertion.withResponseValue("response")
-				.nameId("name")
-				.sessionIndexes(List.of("id"))
-				.attributes(Map.of("key", List.of("value")))
-				.build();
+			.nameId("name")
+			.sessionIndexes(List.of("id"))
+			.attributes(Map.of("key", List.of("value")))
+			.build();
 		generatorByClassName.put(Saml2ResponseAssertion.class, (r) -> assertion);
 		generatorByClassName.put(Saml2AssertionAuthentication.class, (r) -> applyDetails(
 				new Saml2AssertionAuthentication(assertion, authentication.getAuthorities(), "id")));
@@ -753,9 +752,9 @@ final class SerializationSamples {
 		generatorByClassName.put(Saml2LogoutRequest.class, (r) -> TestSaml2LogoutRequests.create());
 		generatorByClassName.put(OpenSamlAssertingPartyDetails.class,
 				(r) -> OpenSamlAssertingPartyDetails
-						.withEntityDescriptor(
-								TestOpenSamlObjects.entityDescriptor(TestRelyingPartyRegistrations.full().build()))
-						.build());
+					.withEntityDescriptor(
+							TestOpenSamlObjects.entityDescriptor(TestRelyingPartyRegistrations.full().build()))
+					.build());
 
 		// web
 		generatorByClassName.put(AnonymousAuthenticationToken.class, (r) -> {
@@ -874,8 +873,8 @@ final class SerializationSamples {
 				(r) -> TestPublicKeyCredentialUserEntities.userEntity().id(TestBytes.get()).build());
 		generatorByClassName.put(WebAuthnAuthentication.class, (r) -> {
 			PublicKeyCredentialUserEntity userEntity = TestPublicKeyCredentialUserEntities.userEntity()
-					.id(TestBytes.get())
-					.build();
+				.id(TestBytes.get())
+				.build();
 			List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
 			WebAuthnAuthentication webAuthnAuthentication = new WebAuthnAuthentication(userEntity, authorities);
 			webAuthnAuthentication.setDetails(details);