Use spec-recommended user code format

Author: Steve Riesenberg

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2DeviceAuthorizationRequestAuthenticationProvider.java

@@ -224,6 +224,13 @@ public OAuth2DeviceCode generate(OAuth2TokenContext context) {
 
 	private static final class UserCodeStringKeyGenerator implements StringKeyGenerator {
 
+		// @formatter:off
+		private static final char[] VALID_CHARS = {
+				'B', 'C', 'D', 'F', 'G', 'H', 'J', 'K', 'L', 'M',
+				'N', 'P', 'Q', 'R', 'S', 'T', 'V', 'W', 'X', 'Z'
+		};
+		// @formatter:on
+
 		private final BytesKeyGenerator keyGenerator;
 
 		public UserCodeStringKeyGenerator() {
@@ -235,9 +242,10 @@ public String generateKey() {
 			byte[] bytes = this.keyGenerator.generateKey();
 			StringBuilder sb = new StringBuilder();
 			for (byte b : bytes) {
-				int offset = Math.abs(b % 26);
-				sb.append((char) ('A' + offset));
+				int offset = Math.abs(b % 20);
+				sb.append(VALID_CHARS[offset]);
 			}
+			sb.insert(4, '-');
 			return sb.toString();
 		}
 

Diff for: oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/web/authentication/OAuth2EndpointUtils.java

@@ -17,7 +17,6 @@
 
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.Locale;
 import java.util.Map;
 
 import jakarta.servlet.http.HttpServletRequest;
@@ -84,8 +83,11 @@ static void throwError(String errorCode, String parameterName, String errorUri)
 	}
 
 	static String normalizeUserCode(String userCode) {
-		Assert.notNull(userCode, "userCode cannot be null");
-		return userCode.toUpperCase(Locale.ROOT).replaceAll("[^A-Z]+", "");
+		Assert.hasText(userCode, "userCode cannot be empty");
+		StringBuilder sb = new StringBuilder(userCode.toUpperCase().replaceAll("[^A-Z\\d]+", ""));
+		Assert.isTrue(sb.length() == 8, "userCode must be exactly 8 alpha/numeric characters");
+		sb.insert(4, '-');
+		return sb.toString();
 	}
 
 }