The following issues were found

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/OAuth2TokenType.java
3 issues
Potential violation of Law of Demeter (method chain calls)
Design

Line: 63 

              			return false;
		}
		OAuth2TokenType that = (OAuth2TokenType) obj;
		return getValue().equals(that.getValue());
	}

	@Override
	public int hashCode() {
		return getValue().hashCode();

Reported by PMD.

Potential violation of Law of Demeter (object not created locally)
Design

Line: 63 

              			return false;
		}
		OAuth2TokenType that = (OAuth2TokenType) obj;
		return getValue().equals(that.getValue());
	}

	@Override
	public int hashCode() {
		return getValue().hashCode();

Reported by PMD.

Potential violation of Law of Demeter (method chain calls)
Design

Line: 68 

              
	@Override
	public int hashCode() {
		return getValue().hashCode();
	}
}

Reported by PMD.

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationRequestDeserializer.java
3 issues
Potential violation of Law of Demeter (object not created locally)
Design

Line: 53 

              	public OAuth2AuthorizationRequest deserialize(JsonParser parser, DeserializationContext context)
			throws IOException {
		ObjectMapper mapper = (ObjectMapper) parser.getCodec();
		JsonNode root = mapper.readTree(parser);
		return deserialize(parser, mapper, root);
	}

	private OAuth2AuthorizationRequest deserialize(JsonParser parser, ObjectMapper mapper, JsonNode root)
			throws JsonParseException {

Reported by PMD.

Potential violation of Law of Demeter (static property access)
Design

Line: 76 

              
	private Builder getBuilder(JsonParser parser,
			AuthorizationGrantType authorizationGrantType) throws JsonParseException {
		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationGrantType)) {
			return OAuth2AuthorizationRequest.authorizationCode();
		}
		if (AuthorizationGrantType.IMPLICIT.equals(authorizationGrantType)) {
			return OAuth2AuthorizationRequest.implicit();
		}

Reported by PMD.

Potential violation of Law of Demeter (static property access)
Design

Line: 79 

              		if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(authorizationGrantType)) {
			return OAuth2AuthorizationRequest.authorizationCode();
		}
		if (AuthorizationGrantType.IMPLICIT.equals(authorizationGrantType)) {
			return OAuth2AuthorizationRequest.implicit();
		}
		throw new JsonParseException(parser, "Invalid authorizationGrantType");
	}

Reported by PMD.

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/UnmodifiableMapMixin.java
2 issues
This abstract class does not have any abstract methods
Design

Line: 42 

               */
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonDeserialize(using = UnmodifiableMapDeserializer.class)
abstract class UnmodifiableMapMixin {

	@JsonCreator
	UnmodifiableMapMixin(Map<?, ?> map) {
	}

Reported by PMD.

Avoid unused constructor parameters such as 'map'.
Design

Line: 45 

              abstract class UnmodifiableMapMixin {

	@JsonCreator
	UnmodifiableMapMixin(Map<?, ?> map) {
	}

}

Reported by PMD.

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2TokenRevocationAuthenticationToken.java
2 issues
Found non-transient, non-static member. Please mark as transient or provide accessors.
Error

Line: 39 

              public class OAuth2TokenRevocationAuthenticationToken extends AbstractAuthenticationToken {
	private static final long serialVersionUID = Version.SERIAL_VERSION_UID;
	private final String token;
	private final Authentication clientPrincipal;
	private final String tokenTypeHint;

	/**
	 * Constructs an {@code OAuth2TokenRevocationAuthenticationToken} using the provided parameters.
	 *

Reported by PMD.

Assigning an Object to null is a code smell. Consider refactoring.
Error

Line: 72 

              		Assert.notNull(clientPrincipal, "clientPrincipal cannot be null");
		this.token = revokedToken.getTokenValue();
		this.clientPrincipal = clientPrincipal;
		this.tokenTypeHint = null;
		setAuthenticated(true);		// Indicates that the token was authenticated and revoked
	}

	@Override
	public Object getPrincipal() {

Reported by PMD.

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/core/oidc/OidcProviderMetadataClaimNames.java
2 issues
Avoid constants in interfaces. Interfaces define types, constants are implementation details better placed in classes or enums. See Effective Java, item 19.
Design

Line: 35 

              	/**
	 * {@code subject_types_supported} - the Subject Identifier types supported
	 */
	String SUBJECT_TYPES_SUPPORTED = "subject_types_supported";

	/**
	 * {@code id_token_signing_alg_values_supported} - the {@link JwsAlgorithm JWS} signing algorithms supported for the {@link OidcIdToken ID Token}
	 */
	String ID_TOKEN_SIGNING_ALG_VALUES_SUPPORTED = "id_token_signing_alg_values_supported";

Reported by PMD.

Avoid constants in interfaces. Interfaces define types, constants are implementation details better placed in classes or enums. See Effective Java, item 19.
Design

Line: 40 

              	/**
	 * {@code id_token_signing_alg_values_supported} - the {@link JwsAlgorithm JWS} signing algorithms supported for the {@link OidcIdToken ID Token}
	 */
	String ID_TOKEN_SIGNING_ALG_VALUES_SUPPORTED = "id_token_signing_alg_values_supported";

}

Reported by PMD.

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/HashSetMixin.java
2 issues
This abstract class does not have any abstract methods
Design

Line: 32 

               * @see HashSet
 */
@JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
abstract class HashSetMixin {

	@JsonCreator
	HashSetMixin(Set<?> set) {
	}

Reported by PMD.

Avoid unused constructor parameters such as 'set'.
Design

Line: 35 

              abstract class HashSetMixin {

	@JsonCreator
	HashSetMixin(Set<?> set) {
	}

}

Reported by PMD.

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/OAuth2AuthorizationRequestMixin.java
2 issues
No abstract method which means that the keyword is most likely used to prevent instantiation. Use a private or protected constructor instead.
Design

Line: 44 

              @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonIgnoreProperties(ignoreUnknown = true)
abstract class OAuth2AuthorizationRequestMixin {

}

Reported by PMD.

This abstract class does not have any abstract methods
Design

Line: 44 

              @JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
@JsonIgnoreProperties(ignoreUnknown = true)
abstract class OAuth2AuthorizationRequestMixin {

}

Reported by PMD.

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/jackson2/SignatureAlgorithmMixin.java
2 issues
No abstract method which means that the keyword is most likely used to prevent instantiation. Use a private or protected constructor instead.
Design

Line: 33 

              @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
abstract class SignatureAlgorithmMixin {
}

Reported by PMD.

This abstract class does not have any abstract methods
Design

Line: 33 

              @JsonTypeInfo(use = JsonTypeInfo.Id.CLASS)
@JsonAutoDetect(fieldVisibility = JsonAutoDetect.Visibility.ANY, getterVisibility = JsonAutoDetect.Visibility.NONE,
		isGetterVisibility = JsonAutoDetect.Visibility.NONE)
abstract class SignatureAlgorithmMixin {
}

Reported by PMD.

oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/OAuth2EndpointUtils.java
2 issues
Potential violation of Law of Demeter (object not created locally)
Design

Line: 38 

              
	static MultiValueMap<String, String> getParameters(HttpServletRequest request) {
		Map<String, String[]> parameterMap = request.getParameterMap();
		MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>(parameterMap.size());
		parameterMap.forEach((key, values) -> {
			if (values.length > 0) {
				for (String value : values) {
					parameters.add(key, value);
				}

Reported by PMD.

Potential violation of Law of Demeter (object not created locally)
Design

Line: 39 

              	static MultiValueMap<String, String> getParameters(HttpServletRequest request) {
		Map<String, String[]> parameterMap = request.getParameterMap();
		MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>(parameterMap.size());
		parameterMap.forEach((key, values) -> {
			if (values.length > 0) {
				for (String value : values) {
					parameters.add(key, value);
				}
			}

Reported by PMD.

samples/boot/oauth2-integration/client/src/main/java/sample/web/AuthorizationController.java
2 issues
Found non-transient, non-static member. Please mark as transient or provide accessors.
Error

Line: 40 

               */
@Controller
public class AuthorizationController {
	private final WebClient webClient;
	private final String messagesBaseUri;

	public AuthorizationController(WebClient webClient,
			@Value("${messages.base-uri}") String messagesBaseUri) {
		this.webClient = webClient;

Reported by PMD.

Found non-transient, non-static member. Please mark as transient or provide accessors.
Error

Line: 41 

              @Controller
public class AuthorizationController {
	private final WebClient webClient;
	private final String messagesBaseUri;

	public AuthorizationController(WebClient webClient,
			@Value("${messages.base-uri}") String messagesBaseUri) {
		this.webClient = webClient;
		this.messagesBaseUri = messagesBaseUri;

Reported by PMD.