From b2d76dfe66707a799664f574f068e39965d9d5d1 Mon Sep 17 00:00:00 2001
From: Rob Winch <362503+rwinch@users.noreply.github.com>
Date: Wed, 24 Sep 2025 08:42:43 -0500
Subject: [PATCH] Add GrantedAuthorities.FACTOR_*_AUTHORITY

Closes gh-17952
---
 .../CasAuthenticationProvider.java            |  3 +-
 .../CasAuthenticationProviderTests.java       |  3 +-
 .../web/configurers/FormLoginConfigurer.java  |  3 +-
 .../web/configurers/HttpBasicConfigurer.java  |  4 +-
 .../web/configurers/WebAuthnConfigurer.java   |  4 +-
 .../web/configurers/X509Configurer.java       |  7 +-
 .../oauth2/client/OAuth2LoginConfigurer.java  |  4 +-
 .../OAuth2ResourceServerConfigurer.java       |  4 +-
 .../ott/OneTimeTokenLoginConfigurer.java      |  3 +-
 .../saml2/Saml2LoginConfigurer.java           |  4 +-
 .../configurers/FormLoginConfigurerTests.java | 21 +++--
 ...ractUserDetailsAuthenticationProvider.java |  3 +-
 .../AbstractJaasAuthenticationProvider.java   |  3 +-
 .../OneTimeTokenAuthenticationProvider.java   |  3 +-
 .../security/core/GrantedAuthorities.java     | 78 +++++++++++++++++++
 .../dao/DaoAuthenticationProviderTests.java   |  3 +-
 .../jaas/JaasAuthenticationProviderTests.java |  3 +-
 ...eTimeTokenAuthenticationProviderTests.java |  3 +-
 .../TopLevelCustomizerBeanConfiguration.java  |  1 -
 .../AuthorizationManagerFactoryTests.java     |  7 +-
 ...istAuthoritiesEverywhereConfiguration.java |  5 +-
 ...horizationManagerFactoryConfiguration.java |  3 +-
 .../CustomAuthorizationManagerFactory.java    |  5 +-
 ...ustomAuthorizationManagerFactoryTests.java |  3 +-
 .../ListAuthoritiesConfiguration.java         |  3 +-
 .../MultiFactorAuthenticationTests.java       |  7 +-
 .../MissingAuthorityConfiguration.java        |  3 +-
 .../ObtainingMoreAuthorizationTests.java      |  5 +-
 .../ReauthenticationTests.java                |  3 +-
 .../RequireOttConfiguration.java              |  3 +-
 .../CopyAuthoritiesTests.java                 |  7 +-
 .../AuthorizationManagerFactoryTests.kt       |  7 +-
 .../ListAuthoritiesEverywhereConfiguration.kt |  5 +-
 ...uthorizationManagerFactoryConfiguration.kt |  3 +-
 .../CustomAuthorizationManagerFactory.kt      |  5 +-
 .../CustomAuthorizationManagerFactoryTests.kt |  3 +-
 .../ListAuthoritiesConfiguration.kt           |  3 +-
 .../MultiFactorAuthenticationTests.kt         |  7 +-
 .../MissingAuthorityConfiguration.kt          |  3 +-
 .../ObtainingMoreAuthorizationTests.kt        |  5 +-
 .../reauthentication/ReauthenticationTests.kt |  3 +-
 .../RequireOttConfiguration.kt                |  3 +-
 .../CopyAuthoritiesTests.kt                   |  7 +-
 .../AbstractLdapAuthenticationProvider.java   |  3 +-
 .../LdapAuthenticationProviderTests.java      |  3 +-
 .../OAuth2LoginAuthenticationProvider.java    |  3 +-
 ...Auth2LoginAuthenticationProviderTests.java |  3 +-
 .../JwtAuthenticationConverter.java           |  3 +-
 .../OpaqueTokenAuthenticationProvider.java    |  3 +-
 .../JwtAuthenticationConverterTests.java      |  3 +-
 ...paqueTokenAuthenticationProviderTests.java |  3 +-
 .../OpenSaml5AuthenticationProvider.java      |  3 +-
 .../OpenSaml5AuthenticationProviderTests.java |  3 +-
 ...WithAuthoritiesMvcResultMatchersTests.java |  3 +-
 ...ngMissingAuthorityAccessDeniedHandler.java |  4 +-
 .../WebAuthnAuthenticationProvider.java       |  3 +-
 .../WebAuthnAuthenticationProviderTests.java  |  3 +-
 57 files changed, 227 insertions(+), 81 deletions(-)
 create mode 100644 core/src/main/java/org/springframework/security/core/GrantedAuthorities.java

diff --git a/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java b/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java
index a5be1a7337..5464d16993 100644
--- a/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java
+++ b/cas/src/main/java/org/springframework/security/cas/authentication/CasAuthenticationProvider.java
@@ -38,6 +38,7 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.cas.ServiceProperties;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -69,7 +70,7 @@ public class CasAuthenticationProvider implements AuthenticationProvider, Initia
 
 	private static final Log logger = LogFactory.getLog(CasAuthenticationProvider.class);
 
-	private static final String AUTHORITY = "FACTOR_CAS";
+	private static final String AUTHORITY = GrantedAuthorities.FACTOR_CAS_AUTHORITY;
 
 	@SuppressWarnings("NullAway.Init")
 	private AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService;
diff --git a/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java b/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java
index 41e1ae55a7..9c05b269fd 100644
--- a/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java
+++ b/cas/src/test/java/org/springframework/security/cas/authentication/CasAuthenticationProviderTests.java
@@ -33,6 +33,7 @@ import org.springframework.security.authentication.UsernamePasswordAuthenticatio
 import org.springframework.security.cas.ServiceProperties;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
@@ -360,7 +361,7 @@ public class CasAuthenticationProviderTests {
 		CasServiceTicketAuthenticationToken token = CasServiceTicketAuthenticationToken.stateful("ST-123");
 		token.setDetails("details");
 		Authentication result = cap.authenticate(token);
-		SecurityAssertions.assertThat(result).hasAuthority("FACTOR_CAS");
+		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_CAS_AUTHORITY);
 	}
 
 	private class MockAuthoritiesPopulator implements AuthenticationUserDetailsService {
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java
index c78152454a..06a2034ecb 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.java
@@ -21,6 +21,7 @@ import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.ForwardAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.ForwardAuthenticationSuccessHandler;
@@ -236,7 +237,7 @@ public final class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extends
 			AuthenticationEntryPoint entryPoint = getAuthenticationEntryPoint();
 			RequestMatcher requestMatcher = getAuthenticationEntryPointMatcher(http);
 			exceptions.defaultDeniedHandlerForMissingAuthority((ep) -> ep.addEntryPointFor(entryPoint, requestMatcher),
-					"FACTOR_PASSWORD");
+					GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
 		}
 	}
 
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java
index 701fc415a6..8ba007e724 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/HttpBasicConfigurer.java
@@ -28,6 +28,7 @@ import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
@@ -195,7 +196,8 @@ public final class HttpBasicConfigurer<B extends HttpSecurityBuilder<B>>
 		AuthenticationEntryPoint entryPoint = postProcess(this.authenticationEntryPoint);
 		exceptionHandling.defaultAuthenticationEntryPointFor(entryPoint, preferredMatcher);
 		exceptionHandling.defaultDeniedHandlerForMissingAuthority(
-				(ep) -> ep.addEntryPointFor(entryPoint, preferredMatcher), "FACTOR_PASSWORD");
+				(ep) -> ep.addEntryPointFor(entryPoint, preferredMatcher),
+				GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
 	}
 
 	private void registerDefaultLogoutSuccessHandler(B http, RequestMatcher preferredMatcher) {
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
index 39f2768d86..6613693ef1 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
@@ -26,6 +26,7 @@ import org.springframework.context.ApplicationContext;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.access.intercept.AuthorizationFilter;
@@ -159,7 +160,8 @@ public class WebAuthnConfigurer<H extends HttpSecurityBuilder<H>>
 		if (exceptions != null) {
 			AuthenticationEntryPoint entryPoint = new LoginUrlAuthenticationEntryPoint("/login");
 			exceptions.defaultDeniedHandlerForMissingAuthority(
-					(ep) -> ep.addEntryPointFor(entryPoint, AnyRequestMatcher.INSTANCE), "FACTOR_WEBAUTHN");
+					(ep) -> ep.addEntryPointFor(entryPoint, AnyRequestMatcher.INSTANCE),
+					GrantedAuthorities.FACTOR_WEBAUTHN_AUTHORITY);
 		}
 	}
 
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java
index 868fef50ae..512ae11761 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java
@@ -25,6 +25,7 @@ import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
 import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
@@ -179,14 +180,16 @@ public final class X509Configurer<H extends HttpSecurityBuilder<H>>
 	public void init(H http) {
 		PreAuthenticatedAuthenticationProvider authenticationProvider = new PreAuthenticatedAuthenticationProvider();
 		authenticationProvider.setPreAuthenticatedUserDetailsService(getAuthenticationUserDetailsService(http));
-		authenticationProvider.setGrantedAuthoritySupplier(() -> AuthorityUtils.createAuthorityList("FACTOR_X509"));
+		authenticationProvider.setGrantedAuthoritySupplier(
+				() -> AuthorityUtils.createAuthorityList(GrantedAuthorities.FACTOR_X509_AUTHORITY));
 		http.authenticationProvider(authenticationProvider)
 			.setSharedObject(AuthenticationEntryPoint.class, new Http403ForbiddenEntryPoint());
 		ExceptionHandlingConfigurer<H> exceptions = http.getConfigurer(ExceptionHandlingConfigurer.class);
 		if (exceptions != null) {
 			AuthenticationEntryPoint forbidden = new Http403ForbiddenEntryPoint();
 			exceptions.defaultDeniedHandlerForMissingAuthority(
-					(ep) -> ep.addEntryPointFor(forbidden, AnyRequestMatcher.INSTANCE), "FACTOR_X509");
+					(ep) -> ep.addEntryPointFor(forbidden, AnyRequestMatcher.INSTANCE),
+					GrantedAuthorities.FACTOR_X509_AUTHORITY);
 		}
 	}
 
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
index ecf695bcc0..c06a0332e5 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
@@ -45,6 +45,7 @@ import org.springframework.security.config.annotation.web.configurers.SessionMan
 import org.springframework.security.context.DelegatingApplicationListener;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.core.session.AbstractSessionEvent;
 import org.springframework.security.core.session.SessionDestroyedEvent;
@@ -566,7 +567,8 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		if (exceptions != null) {
 			RequestMatcher requestMatcher = getAuthenticationEntryPointMatcher(http);
 			exceptions.defaultDeniedHandlerForMissingAuthority(
-					(ep) -> ep.addEntryPointFor(loginEntryPoint, requestMatcher), "FACTOR_AUTHORIZATION_CODE");
+					(ep) -> ep.addEntryPointFor(loginEntryPoint, requestMatcher),
+					GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY);
 		}
 		return loginEntryPoint;
 	}
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
index 5c9b56198d..bccf4a3d97 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
@@ -38,6 +38,7 @@ import org.springframework.security.config.annotation.web.configurers.CsrfConfig
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.jwt.JwtDecoder;
@@ -328,7 +329,8 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 					Arrays.asList(this.requestMatcher, X_REQUESTED_WITH, restNotHtmlMatcher, allMatcher));
 			exceptionHandling.defaultAuthenticationEntryPointFor(this.authenticationEntryPoint, preferredMatcher);
 			exceptionHandling.defaultDeniedHandlerForMissingAuthority(
-					(ep) -> ep.addEntryPointFor(this.authenticationEntryPoint, preferredMatcher), "FACTOR_BEARER");
+					(ep) -> ep.addEntryPointFor(this.authenticationEntryPoint, preferredMatcher),
+					GrantedAuthorities.FACTOR_BEARER_AUTHORITY);
 		}
 	}
 
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java
index c193caf971..73468ef97f 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ott/OneTimeTokenLoginConfigurer.java
@@ -37,6 +37,7 @@ import org.springframework.security.config.annotation.web.configurers.AbstractAu
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.AuthenticationConverter;
@@ -141,7 +142,7 @@ public final class OneTimeTokenLoginConfigurer<H extends HttpSecurityBuilder<H>>
 			AuthenticationEntryPoint entryPoint = getAuthenticationEntryPoint();
 			RequestMatcher requestMatcher = getAuthenticationEntryPointMatcher(http);
 			exceptions.defaultDeniedHandlerForMissingAuthority((ep) -> ep.addEntryPointFor(entryPoint, requestMatcher),
-					"FACTOR_OTT");
+					GrantedAuthorities.FACTOR_OTT_AUTHORITY);
 		}
 	}
 
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java
index be783ef0f6..1f605af131 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/saml2/Saml2LoginConfigurer.java
@@ -35,6 +35,7 @@ import org.springframework.security.config.annotation.web.configurers.AbstractHt
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer;
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.saml2.provider.service.authentication.AbstractSaml2AuthenticationRequest;
 import org.springframework.security.saml2.provider.service.authentication.OpenSaml5AuthenticationProvider;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
@@ -353,7 +354,8 @@ public final class Saml2LoginConfigurer<B extends HttpSecurityBuilder<B>>
 		if (exceptions != null) {
 			RequestMatcher requestMatcher = getAuthenticationEntryPointMatcher(http);
 			exceptions.defaultDeniedHandlerForMissingAuthority(
-					(ep) -> ep.addEntryPointFor(loginEntryPoint, requestMatcher), "FACTOR_SAML_RESPONSE");
+					(ep) -> ep.addEntryPointFor(loginEntryPoint, requestMatcher),
+					GrantedAuthorities.FACTOR_SAML_RESPONSE_AUTHORITY);
 		}
 		return loginEntryPoint;
 	}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java
index e2bd96ea93..7d97ea50d2 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurerTests.java
@@ -40,6 +40,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.config.users.AuthenticationTestConfiguration;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.context.SecurityContextChangedListener;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
@@ -415,16 +416,21 @@ public class FormLoginConfigurerTests {
 				.with(SecurityMockMvcRequestPostProcessors.csrf()))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("/"));
-		user = PasswordEncodedUser.withUserDetails(user).authorities("profile:read", "FACTOR_OTT").build();
+		user = PasswordEncodedUser.withUserDetails(user)
+			.authorities("profile:read", GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+			.build();
 		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("http://localhost/login?factor=password"));
-		user = PasswordEncodedUser.withUserDetails(user).authorities("profile:read", "FACTOR_PASSWORD").build();
+		user = PasswordEncodedUser.withUserDetails(user)
+			.authorities("profile:read", GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
+			.build();
 		this.mockMvc.perform(get("/profile").with(user(user)))
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("http://localhost/login?factor=ott"));
 		user = PasswordEncodedUser.withUserDetails(user)
-			.authorities("profile:read", "FACTOR_PASSWORD", "FACTOR_OTT")
+			.authorities("profile:read", GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
+					GrantedAuthorities.FACTOR_OTT_AUTHORITY)
 			.build();
 		this.mockMvc.perform(get("/profile").with(user(user))).andExpect(status().isNotFound());
 	}
@@ -447,7 +453,8 @@ public class FormLoginConfigurerTests {
 			.andExpect(status().is3xxRedirection())
 			.andExpect(redirectedUrl("/"));
 		UserDetails authorized = PasswordEncodedUser.withUsername("rod")
-			.authorities("profile:read", "FACTOR_X509", "FACTOR_PASSWORD")
+			.authorities("profile:read", GrantedAuthorities.FACTOR_X509_AUTHORITY,
+					GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
 			.build();
 		this.mockMvc.perform(get("/profile").with(user(authorized))).andExpect(status().isOk());
 	}
@@ -814,7 +821,8 @@ public class FormLoginConfigurerTests {
 
 		@Bean
 		AuthorizationManagerFactory<?> authz() {
-			return new AuthorizationManagerFactory<>("FACTOR_PASSWORD", "FACTOR_OTT");
+			return new AuthorizationManagerFactory<>(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY,
+					GrantedAuthorities.FACTOR_OTT_AUTHORITY);
 		}
 
 	}
@@ -840,7 +848,8 @@ public class FormLoginConfigurerTests {
 
 		@Bean
 		AuthorizationManagerFactory<?> authz() {
-			return new AuthorizationManagerFactory<>("FACTOR_X509", "FACTOR_PASSWORD");
+			return new AuthorizationManagerFactory<>(GrantedAuthorities.FACTOR_X509_AUTHORITY,
+					GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
 		}
 
 	}
diff --git a/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java
index efb966601f..9e4e281300 100644
--- a/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/authentication/dao/AbstractUserDetailsAuthenticationProvider.java
@@ -36,6 +36,7 @@ import org.springframework.security.authentication.LockedException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -99,7 +100,7 @@ public abstract class AbstractUserDetailsAuthenticationProvider
 
 	private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();
 
-	private static final String AUTHORITY = "FACTOR_PASSWORD";
+	private static final String AUTHORITY = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY;
 
 	/**
 	 * Allows subclasses to perform any additional checks of a returned (or cached)
diff --git a/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
index 108c3a33f6..215792865a 100644
--- a/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
@@ -44,6 +44,7 @@ import org.springframework.security.authentication.jaas.event.JaasAuthentication
 import org.springframework.security.authentication.jaas.event.JaasAuthenticationSuccessEvent;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
@@ -121,7 +122,7 @@ import org.springframework.util.ObjectUtils;
 public abstract class AbstractJaasAuthenticationProvider implements AuthenticationProvider,
 		ApplicationEventPublisherAware, InitializingBean, ApplicationListener<SessionDestroyedEvent> {
 
-	private static final String AUTHORITY = "FACTOR_PASSWORD";
+	private static final String AUTHORITY = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY;
 
 	private ApplicationEventPublisher applicationEventPublisher = (event) -> {
 	};
diff --git a/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java
index aefa16bd2b..38917e0c9c 100644
--- a/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java
+++ b/core/src/main/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProvider.java
@@ -23,6 +23,7 @@ import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -40,7 +41,7 @@ import org.springframework.util.Assert;
  */
 public final class OneTimeTokenAuthenticationProvider implements AuthenticationProvider {
 
-	private static final String AUTHORITY = "FACTOR_OTT";
+	private static final String AUTHORITY = GrantedAuthorities.FACTOR_OTT_AUTHORITY;
 
 	private final OneTimeTokenService oneTimeTokenService;
 
diff --git a/core/src/main/java/org/springframework/security/core/GrantedAuthorities.java b/core/src/main/java/org/springframework/security/core/GrantedAuthorities.java
new file mode 100644
index 0000000000..79f962354e
--- /dev/null
+++ b/core/src/main/java/org/springframework/security/core/GrantedAuthorities.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.core;
+
+/**
+ * Constants for {@link GrantedAuthority}.
+ *
+ * @author Rob Winch
+ * @since 7.0
+ */
+public final class GrantedAuthorities {
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that OAuth2
+	 * Authorization Code was used to authenticate.
+	 */
+	public static final String FACTOR_AUTHORIZATION_CODE_AUTHORITY = "FACTOR_AUTHORIZATION_CODE";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that bearer
+	 * authentication was used to authenticate.
+	 */
+	public static final String FACTOR_BEARER_AUTHORITY = "FACTOR_BEARER";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that CAS was
+	 * used to authenticate.
+	 */
+	public static final String FACTOR_CAS_AUTHORITY = "FACTOR_CAS";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that one time
+	 * token was used to authenticate.
+	 */
+	public static final String FACTOR_OTT_AUTHORITY = "FACTOR_OTT";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that a password
+	 * was used to authenticate.
+	 */
+	public static final String FACTOR_PASSWORD_AUTHORITY = "FACTOR_PASSWORD";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that SAML was
+	 * used to authenticate.
+	 */
+	public static final String FACTOR_SAML_RESPONSE_AUTHORITY = "FACTOR_SAML_RESPONSE";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that WebAuthn
+	 * was used to authenticate.
+	 */
+	public static final String FACTOR_WEBAUTHN_AUTHORITY = "FACTOR_WEBAUTHN";
+
+	/**
+	 * The standard {@link GrantedAuthority#getAuthority()} that indicates that X509 was
+	 * used to authenticate.
+	 */
+	public static final String FACTOR_X509_AUTHORITY = "FACTOR_X509";
+
+	private GrantedAuthorities() {
+	}
+
+}
diff --git a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
index e80e4e6a85..e394e34c9a 100644
--- a/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/dao/DaoAuthenticationProviderTests.java
@@ -38,6 +38,7 @@ import org.springframework.security.authentication.password.CompromisedPasswordC
 import org.springframework.security.authentication.password.CompromisedPasswordDecision;
 import org.springframework.security.authentication.password.CompromisedPasswordException;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
@@ -511,7 +512,7 @@ public class DaoAuthenticationProviderTests {
 		DaoAuthenticationProvider provider = new DaoAuthenticationProvider(withUsers(user));
 		Authentication request = new UsernamePasswordAuthenticationToken("user", "password");
 		Authentication result = provider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority("FACTOR_PASSWORD");
+		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
 	}
 
 	private UserDetailsService withUsers(UserDetails... users) {
diff --git a/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java
index 6951bf4dec..4adfe897ac 100644
--- a/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/jaas/JaasAuthenticationProviderTests.java
@@ -40,6 +40,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContext;
@@ -241,7 +242,7 @@ public class JaasAuthenticationProviderTests {
 	public void authenticateWhenSuccessThenIssuesFactor() {
 		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user", "password");
 		Authentication result = this.jaasProvider.authenticate(token);
-		SecurityAssertions.assertThat(result).hasAuthority("FACTOR_PASSWORD");
+		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
 	}
 
 	private static class MockLoginContext extends LoginContext {
diff --git a/core/src/test/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProviderTests.java b/core/src/test/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProviderTests.java
index c2456562e9..4c0509094f 100644
--- a/core/src/test/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProviderTests.java
+++ b/core/src/test/java/org/springframework/security/authentication/ott/OneTimeTokenAuthenticationProviderTests.java
@@ -28,6 +28,7 @@ import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
@@ -108,7 +109,7 @@ public class OneTimeTokenAuthenticationProviderTests {
 		OneTimeTokenAuthenticationToken token = new OneTimeTokenAuthenticationToken(TOKEN);
 
 		Authentication authentication = this.provider.authenticate(token);
-		SecurityAssertions.assertThat(authentication).hasAuthority("FACTOR_OTT");
+		SecurityAssertions.assertThat(authentication).hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY);
 	}
 
 	@Test
diff --git a/docs/src/test/java/org/springframework/security/docs/reactive/configuration/toplevelcustomizerbean/TopLevelCustomizerBeanConfiguration.java b/docs/src/test/java/org/springframework/security/docs/reactive/configuration/toplevelcustomizerbean/TopLevelCustomizerBeanConfiguration.java
index 84700b89aa..e516fda8c9 100644
--- a/docs/src/test/java/org/springframework/security/docs/reactive/configuration/toplevelcustomizerbean/TopLevelCustomizerBeanConfiguration.java
+++ b/docs/src/test/java/org/springframework/security/docs/reactive/configuration/toplevelcustomizerbean/TopLevelCustomizerBeanConfiguration.java
@@ -22,7 +22,6 @@ import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.web.server.SecurityWebFilterChain;
-import org.springframework.web.reactive.config.EnableWebFlux;
 
 /**
  *
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/AuthorizationManagerFactoryTests.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/AuthorizationManagerFactoryTests.java
index 97899bc163..60337ace1f 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/AuthorizationManagerFactoryTests.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/AuthorizationManagerFactoryTests.java
@@ -22,6 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -51,7 +52,7 @@ public class AuthorizationManagerFactoryTests {
 	MockMvc mockMvc;
 
 	@Test
-	@WithMockUser(authorities = { "FACTOR_PASSWORD", "FACTOR_OTT" })
+	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY })
 	void getWhenAuthenticatedWithPasswordAndOttThenPermits() throws Exception {
 		this.spring.register(UseAuthorizationManagerFactoryConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -62,7 +63,7 @@ public class AuthorizationManagerFactoryTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = "FACTOR_PASSWORD")
+	@WithMockUser(authorities = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
 	void getWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
 		this.spring.register(UseAuthorizationManagerFactoryConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -73,7 +74,7 @@ public class AuthorizationManagerFactoryTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = "FACTOR_OTT")
+	@WithMockUser(authorities = GrantedAuthorities.FACTOR_OTT_AUTHORITY)
 	void getWhenAuthenticatedWithOttThenRedirectsToPassword() throws Exception {
 		this.spring.register(UseAuthorizationManagerFactoryConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/ListAuthoritiesEverywhereConfiguration.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/ListAuthoritiesEverywhereConfiguration.java
index 7c5728d807..4c9eee4a9d 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/ListAuthoritiesEverywhereConfiguration.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/ListAuthoritiesEverywhereConfiguration.java
@@ -5,6 +5,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -26,8 +27,8 @@ public class ListAuthoritiesEverywhereConfiguration {
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authorize) -> authorize
-				.requestMatchers("/admin/**").access(allOf(hasAuthority("FACTOR_PASSWORD"), hasAuthority("FACTOR_OTT"), hasRole("ADMIN"))) // <1>
-				.anyRequest().access(allOf(hasAuthority("FACTOR_PASSWORD"), hasAuthority("FACTOR_OTT")))
+				.requestMatchers("/admin/**").access(allOf(hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY), hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY), hasRole("ADMIN"))) // <1>
+				.anyRequest().access(allOf(hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY), hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY)))
 			)
 			.formLogin(Customizer.withDefaults())
 			.oneTimeTokenLogin(Customizer.withDefaults());
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.java
index 0418e87c89..23d2b30f12 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.java
@@ -7,6 +7,7 @@ import org.springframework.security.authorization.DefaultAuthorizationManagerFac
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -38,7 +39,7 @@ class UseAuthorizationManagerFactoryConfiguration {
 	@Bean
 	AuthorizationManagerFactory<Object> authz() {
 		return DefaultAuthorizationManagerFactory.builder()
-				.requireAdditionalAuthorities("FACTOR_PASSWORD", "FACTOR_OTT").build();
+				.requireAdditionalAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY).build();
 	}
 	// end::authorizationManagerFactoryBean[]
 
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactory.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactory.java
index f00cea15fb..7622e625d7 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactory.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactory.java
@@ -20,6 +20,7 @@ import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -56,8 +57,8 @@ class CustomAuthorizationManagerFactory {
 			MyPrincipal principal = (MyPrincipal) authentication.get().getPrincipal();
 			if (principal.optedIn()) {
 				SecurityExpressionOperations sec = new SecurityExpressionRoot<>(authentication, context) {};
-				return new AuthorityAuthorizationDecision(sec.hasAuthority("FACTOR_OTT"),
-						AuthorityUtils.createAuthorityList("FACTOR_OTT"));
+				return new AuthorityAuthorizationDecision(sec.hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY),
+						AuthorityUtils.createAuthorityList(GrantedAuthorities.FACTOR_OTT_AUTHORITY));
 			}
 			return new AuthorizationDecision(true);
 		}
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactoryTests.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactoryTests.java
index f62cfeedff..aea7626157 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactoryTests.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactoryTests.java
@@ -23,6 +23,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
@@ -79,7 +80,7 @@ public class CustomAuthorizationManagerFactoryTests {
 	void getWhenOptedAndHasFactorThenAllows() throws Exception {
 		this.spring.register(CustomAuthorizationManagerFactory.class, Http200Controller.class).autowire();
 		UserDetails user = this.users.loadUserByUsername("optedin");
-		TestingAuthenticationToken token = new TestingAuthenticationToken(user, "", "FACTOR_OTT");
+		TestingAuthenticationToken token = new TestingAuthenticationToken(user, "", GrantedAuthorities.FACTOR_OTT_AUTHORITY);
 		// @formatter:off
 		this.mockMvc.perform(get("/").with(authentication(token)))
 			.andExpect(status().isOk())
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/multifactorauthentication/ListAuthoritiesConfiguration.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/multifactorauthentication/ListAuthoritiesConfiguration.java
index f6a003c874..c48e0b0a3e 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/multifactorauthentication/ListAuthoritiesConfiguration.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/multifactorauthentication/ListAuthoritiesConfiguration.java
@@ -5,6 +5,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -25,7 +26,7 @@ class ListAuthoritiesConfiguration {
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authorize) -> authorize
-				.anyRequest().access(allOf(hasAuthority("FACTOR_PASSWORD"), hasAuthority("FACTOR_OTT"))) // <1>
+				.anyRequest().access(allOf(hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY), hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY))) // <1>
 			)
 			.formLogin(Customizer.withDefaults())
 			.oneTimeTokenLogin(Customizer.withDefaults());
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/multifactorauthentication/MultiFactorAuthenticationTests.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/multifactorauthentication/MultiFactorAuthenticationTests.java
index 33e319622d..9aa6ee3da5 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/multifactorauthentication/MultiFactorAuthenticationTests.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/multifactorauthentication/MultiFactorAuthenticationTests.java
@@ -22,6 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -51,7 +52,7 @@ public class MultiFactorAuthenticationTests {
 	MockMvc mockMvc;
 
 	@Test
-	@WithMockUser(authorities = { "FACTOR_PASSWORD", "FACTOR_OTT" })
+	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY })
 	void getWhenAuthenticatedWithPasswordAndOttThenPermits() throws Exception {
 		this.spring.register(ListAuthoritiesConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -62,7 +63,7 @@ public class MultiFactorAuthenticationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = "FACTOR_PASSWORD")
+	@WithMockUser(authorities = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
 	void getWhenAuthenticatedWithPasswordThenRedirectsToOtt() throws Exception {
 		this.spring.register(ListAuthoritiesConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -73,7 +74,7 @@ public class MultiFactorAuthenticationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = "FACTOR_OTT")
+	@WithMockUser(authorities = GrantedAuthorities.FACTOR_OTT_AUTHORITY)
 	void getWhenAuthenticatedWithOttThenRedirectsToPassword() throws Exception {
 		this.spring.register(ListAuthoritiesConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.java
index 4ccc0c2895..e918a3b3d0 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.java
@@ -16,6 +16,7 @@ import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations;
@@ -53,7 +54,7 @@ class MissingAuthorityConfiguration {
 	// tag::authorizationManagerFactoryBean[]
 	@Bean
 	AuthorizationManagerFactory<RequestAuthorizationContext> authz() {
-		return new FactorAuthorizationManagerFactory(hasAllAuthorities("FACTOR_X509", "FACTOR_AUTHORIZATION_CODE"));
+		return new FactorAuthorizationManagerFactory(hasAllAuthorities(GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY));
 	}
 	// end::authorizationManagerFactoryBean[]
 
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/ObtainingMoreAuthorizationTests.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/ObtainingMoreAuthorizationTests.java
index f91fa8b2ed..83f4e98f7a 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/ObtainingMoreAuthorizationTests.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/obtainingmoreauthorization/ObtainingMoreAuthorizationTests.java
@@ -22,6 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -61,7 +62,7 @@ public class ObtainingMoreAuthorizationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = { "FACTOR_X509", "FACTOR_AUTHORIZATION_CODE" })
+	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY })
 	void profileWhenMissingAuthorityConfigurationThenRedirectsToAuthorizationServer() throws Exception {
 		this.spring.register(MissingAuthorityConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
@@ -82,7 +83,7 @@ public class ObtainingMoreAuthorizationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = { "FACTOR_X509", "FACTOR_AUTHORIZATION_CODE", "SCOPE_profile:read" })
+	@WithMockUser(authorities = { GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY, "SCOPE_profile:read" })
 	void profileWhenAuthenticatedAndHasScopeThenPermits() throws Exception {
 		this.spring.register(MissingAuthorityConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/reauthentication/ReauthenticationTests.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/reauthentication/ReauthenticationTests.java
index 7078eac0f2..81b810e84a 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/reauthentication/ReauthenticationTests.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/reauthentication/ReauthenticationTests.java
@@ -22,6 +22,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.docs.servlet.authentication.servletx509config.CustomX509Configuration;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener;
@@ -73,7 +74,7 @@ public class ReauthenticationTests {
 	}
 
 	@Test
-	@WithMockUser(authorities = "FACTOR_OTT")
+	@WithMockUser(authorities = GrantedAuthorities.FACTOR_OTT_AUTHORITY)
 	void ottWhenRequireOttConfigurationThenAllows() throws Exception {
 		this.spring.register(RequireOttConfiguration.class, Http200Controller.class).autowire();
 		// @formatter:off
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/reauthentication/RequireOttConfiguration.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/reauthentication/RequireOttConfiguration.java
index af23bc19f0..7682ebe324 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/reauthentication/RequireOttConfiguration.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/reauthentication/RequireOttConfiguration.java
@@ -5,6 +5,7 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
@@ -22,7 +23,7 @@ public class RequireOttConfiguration {
 		// @formatter:off
 		http
 			.authorizeHttpRequests((authorize) -> authorize
-				.requestMatchers("/profile/**").hasAuthority("FACTOR_OTT") // <1>
+				.requestMatchers("/profile/**").hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY) // <1>
 				.anyRequest().authenticated()
 			)
 			.formLogin(Customizer.withDefaults())
diff --git a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/servletauthenticationauthentication/CopyAuthoritiesTests.java b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/servletauthenticationauthentication/CopyAuthoritiesTests.java
index ca5de102fa..bbd59d9726 100644
--- a/docs/src/test/java/org/springframework/security/docs/servlet/authentication/servletauthenticationauthentication/CopyAuthoritiesTests.java
+++ b/docs/src/test/java/org/springframework/security/docs/servlet/authentication/servletauthenticationauthentication/CopyAuthoritiesTests.java
@@ -8,6 +8,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.authentication.ott.OneTimeTokenAuthentication;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
 
@@ -19,10 +20,10 @@ public class CopyAuthoritiesTests {
 	@Test
 	void toBuilderWhenApplyThenCopies() {
 		UsernamePasswordAuthenticationToken previous = new UsernamePasswordAuthenticationToken("alice", "pass",
-				AuthorityUtils.createAuthorityList("FACTOR_PASSWORD"));
+				AuthorityUtils.createAuthorityList(	GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY));
 		SecurityContextHolder.getContext().setAuthentication(previous);
 		Authentication latest = new OneTimeTokenAuthentication("bob",
-				AuthorityUtils.createAuthorityList("FACTOR_OTT"));
+				AuthorityUtils.createAuthorityList(GrantedAuthorities.FACTOR_OTT_AUTHORITY));
 		AuthenticationManager authenticationManager = mock(AuthenticationManager.class);
 		given(authenticationManager.authenticate(any())).willReturn(latest);
 		Authentication authenticationRequest = new TestingAuthenticationToken("user", "pass");
@@ -35,7 +36,7 @@ public class CopyAuthoritiesTests {
 					.build();
 		}
 		// end::springSecurity[]
-		SecurityAssertions.assertThat(lastestResult).hasAuthorities("FACTOR_PASSWORD", "FACTOR_OTT");
+		SecurityAssertions.assertThat(lastestResult).hasAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY);
 		SecurityContextHolder.clearContext();
 	}
 }
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/AuthorizationManagerFactoryTests.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/AuthorizationManagerFactoryTests.kt
index 23080f1cea..f0ac6b88d6 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/AuthorizationManagerFactoryTests.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/AuthorizationManagerFactoryTests.kt
@@ -20,6 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.test.context.support.WithMockUser
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers
@@ -46,7 +47,7 @@ class AuthorizationManagerFactoryTests {
     var mockMvc: MockMvc? = null
 
     @Test
-    @WithMockUser(authorities = ["FACTOR_PASSWORD", "FACTOR_OTT"])
+    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordAndOttThenPermits() {
         this.spring.register(UseAuthorizationManagerFactoryConfiguration::class.java, Http200Controller::class.java)
@@ -59,7 +60,7 @@ class AuthorizationManagerFactoryTests {
     }
 
     @Test
-    @WithMockUser(authorities = ["FACTOR_PASSWORD"])
+    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordThenRedirectsToOtt() {
         this.spring.register(UseAuthorizationManagerFactoryConfiguration::class.java, Http200Controller::class.java)
@@ -72,7 +73,7 @@ class AuthorizationManagerFactoryTests {
     }
 
     @Test
-    @WithMockUser(authorities = ["FACTOR_OTT"])
+    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_OTT_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithOttThenRedirectsToPassword() {
         this.spring.register(UseAuthorizationManagerFactoryConfiguration::class.java, Http200Controller::class.java)
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/ListAuthoritiesEverywhereConfiguration.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/ListAuthoritiesEverywhereConfiguration.kt
index 33e7467755..b93f7a8b9d 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/ListAuthoritiesEverywhereConfiguration.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/ListAuthoritiesEverywhereConfiguration.kt
@@ -5,6 +5,7 @@ import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -22,8 +23,8 @@ class ListAuthoritiesEverywhereConfiguration {
         // @formatter:off
         http {
             authorizeHttpRequests {
-                authorize("/admin/**", hasAllAuthorities("FACTOR_PASSWORD", "FACTOR_OTT", "ROLE_ADMIN")) // <1>
-                authorize(anyRequest, hasAllAuthorities("FACTOR_PASSWORD", "FACTOR_OTT"))
+                authorize("/admin/**", hasAllAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY, "ROLE_ADMIN")) // <1>
+                authorize(anyRequest, hasAllAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY))
             }
             formLogin { }
             oneTimeTokenLogin {  }
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.kt
index 20f2ca373a..0cce4c130b 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/authorizationmanagerfactory/UseAuthorizationManagerFactoryConfiguration.kt
@@ -7,6 +7,7 @@ import org.springframework.security.authorization.DefaultAuthorizationManagerFac
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -38,7 +39,7 @@ internal class UseAuthorizationManagerFactoryConfiguration {
     @Bean
     fun authz(): AuthorizationManagerFactory<Object> {
         return DefaultAuthorizationManagerFactory.builder<Object>()
-            .requireAdditionalAuthorities("FACTOR_PASSWORD", "FACTOR_OTT").build()
+            .requireAdditionalAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY).build()
     }
     // end::authorizationManagerFactoryBean[]
 
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactory.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactory.kt
index 16f6415d7b..313f74e346 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactory.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactory.kt
@@ -9,6 +9,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.core.Authentication
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.core.GrantedAuthority
 import org.springframework.security.core.authority.AuthorityUtils
 import org.springframework.security.core.userdetails.UserDetails
@@ -49,8 +50,8 @@ internal class CustomAuthorizationManagerFactory {
             if (principal!!.optedIn) {
                 val root = object : SecurityExpressionRoot<Object>(authentication, context) { }
                 return AuthorityAuthorizationDecision(
-                    root.hasAuthority("FACTOR_OTT"),
-                    AuthorityUtils.createAuthorityList("FACTOR_OTT")
+                    root.hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY),
+                    AuthorityUtils.createAuthorityList(GrantedAuthorities.FACTOR_OTT_AUTHORITY)
                 )
             }
             return AuthorizationDecision(true)
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactoryTests.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactoryTests.kt
index b55dae1c90..30e687b97a 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactoryTests.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/customauthorizationmanagerfactory/CustomAuthorizationManagerFactoryTests.kt
@@ -21,6 +21,7 @@ import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.authentication.TestingAuthenticationToken
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers
@@ -75,7 +76,7 @@ class CustomAuthorizationManagerFactoryTests {
     fun getWhenOptedAndHasFactorThenAllows() {
         this.spring.register(CustomAuthorizationManagerFactory::class.java, Http200Controller::class.java).autowire()
         val user = this.users!!.loadUserByUsername("optedin")
-        val token = TestingAuthenticationToken(user, "", "FACTOR_OTT")
+        val token = TestingAuthenticationToken(user, "", GrantedAuthorities.FACTOR_OTT_AUTHORITY)
         // @formatter:off
         this.mockMvc!!.perform(MockMvcRequestBuilders.get("/").with(SecurityMockMvcRequestPostProcessors.authentication(token)))
         .andExpect(MockMvcResultMatchers.status().isOk())
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/multifactorauthentication/ListAuthoritiesConfiguration.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/multifactorauthentication/ListAuthoritiesConfiguration.kt
index 79e40e8c73..cfa0b9e810 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/multifactorauthentication/ListAuthoritiesConfiguration.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/multifactorauthentication/ListAuthoritiesConfiguration.kt
@@ -5,6 +5,7 @@ import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -22,7 +23,7 @@ internal class ListAuthoritiesConfiguration {
         // @formatter:off
         http {
             authorizeHttpRequests {
-                authorize(anyRequest, hasAllAuthorities("FACTOR_PASSWORD", "FACTOR_OTT"))
+                authorize(anyRequest, hasAllAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY))
             }
             formLogin { }
             oneTimeTokenLogin {  }
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/multifactorauthentication/MultiFactorAuthenticationTests.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/multifactorauthentication/MultiFactorAuthenticationTests.kt
index 748b6e050a..945631448e 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/multifactorauthentication/MultiFactorAuthenticationTests.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/multifactorauthentication/MultiFactorAuthenticationTests.kt
@@ -20,6 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.test.context.support.WithMockUser
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener
 import org.springframework.security.test.web.servlet.response.SecurityMockMvcResultMatchers
@@ -46,7 +47,7 @@ class MultiFactorAuthenticationTests {
     var mockMvc: MockMvc? = null
 
     @Test
-    @WithMockUser(authorities = ["FACTOR_PASSWORD", "FACTOR_OTT"])
+    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordAndOttThenPermits() {
         this.spring.register(ListAuthoritiesConfiguration::class.java, Http200Controller::class.java).autowire()
@@ -58,7 +59,7 @@ class MultiFactorAuthenticationTests {
     }
 
     @Test
-    @WithMockUser(authorities = ["FACTOR_PASSWORD"])
+    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithPasswordThenRedirectsToOtt() {
         this.spring.register(ListAuthoritiesConfiguration::class.java, Http200Controller::class.java).autowire()
@@ -70,7 +71,7 @@ class MultiFactorAuthenticationTests {
     }
 
     @Test
-    @WithMockUser(authorities = ["FACTOR_OTT"])
+    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_OTT_AUTHORITY])
     @Throws(Exception::class)
     fun getWhenAuthenticatedWithOttThenRedirectsToPassword() {
         this.spring.register(ListAuthoritiesConfiguration::class.java, Http200Controller::class.java).autowire()
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.kt
index 1e4d7431c6..10140ab5cf 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/MissingAuthorityConfiguration.kt
@@ -15,6 +15,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configurers.ExceptionHandlingConfigurer
 import org.springframework.security.config.annotation.web.invoke
 import org.springframework.security.core.AuthenticationException
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository
 import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository
 import org.springframework.security.oauth2.client.registration.TestClientRegistrations
@@ -58,7 +59,7 @@ internal class MissingAuthorityConfiguration {
     // tag::authorizationManagerFactoryBean[]
     @Bean
     fun authz(): AuthorizationManagerFactory<RequestAuthorizationContext> {
-        return FactorAuthorizationManagerFactory(hasAllAuthorities("FACTOR_X509", "FACTOR_AUTHORIZATION_CODE"))
+        return FactorAuthorizationManagerFactory(hasAllAuthorities(GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY))
     }
     // end::authorizationManagerFactoryBean[]
 
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/ObtainingMoreAuthorizationTests.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/ObtainingMoreAuthorizationTests.kt
index c7cc92478f..9016e3094a 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/ObtainingMoreAuthorizationTests.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/obtainingmoreauthorization/ObtainingMoreAuthorizationTests.kt
@@ -20,6 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.docs.servlet.authentication.obtainingmoreauthorization.ScopeConfiguration
 import org.springframework.security.test.context.support.WithMockUser
 import org.springframework.security.test.context.support.WithSecurityContextTestExecutionListener
@@ -58,7 +59,7 @@ class ObtainingMoreAuthorizationTests {
     }
 
     @Test
-    @WithMockUser(authorities = ["FACTOR_X509", "FACTOR_AUTHORIZATION_CODE"])
+    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY])
     @Throws(Exception::class)
     fun profileWhenMissingAuthorityConfigurationThenRedirectsToAuthorizationServer() {
         this.spring.register(MissingAuthorityConfiguration::class.java, Http200Controller::class.java).autowire()
@@ -81,7 +82,7 @@ class ObtainingMoreAuthorizationTests {
     }
 
     @Test
-    @WithMockUser(authorities = ["FACTOR_X509", "FACTOR_AUTHORIZATION_CODE", "SCOPE_profile:read"])
+    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_X509_AUTHORITY, GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY, "SCOPE_profile:read"])
     @Throws(
         Exception::class
     )
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/reauthentication/ReauthenticationTests.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/reauthentication/ReauthenticationTests.kt
index 1b7278ce15..2ceb9d26cb 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/reauthentication/ReauthenticationTests.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/reauthentication/ReauthenticationTests.kt
@@ -20,6 +20,7 @@ import org.junit.jupiter.api.extension.ExtendWith
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.security.config.test.SpringTestContext
 import org.springframework.security.config.test.SpringTestContextExtension
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.docs.servlet.authentication.reauthentication.RequireOttConfiguration
 import org.springframework.security.docs.servlet.authentication.reauthentication.SimpleConfiguration
 import org.springframework.security.test.context.support.WithMockUser
@@ -72,7 +73,7 @@ class ReauthenticationTests {
     }
 
     @Test
-    @WithMockUser(authorities = ["FACTOR_OTT"])
+    @WithMockUser(authorities = [GrantedAuthorities.FACTOR_OTT_AUTHORITY])
     @Throws(Exception::class)
     fun ottWhenRequireOttConfigurationThenAllows() {
         this.spring.register(RequireOttConfiguration::class.java, Http200Controller::class.java).autowire()
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/reauthentication/RequireOttConfiguration.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/reauthentication/RequireOttConfiguration.kt
index cca01a6c85..ed7e28943e 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/reauthentication/RequireOttConfiguration.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/reauthentication/RequireOttConfiguration.kt
@@ -5,6 +5,7 @@ import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetailsService
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
@@ -22,7 +23,7 @@ class RequireOttConfiguration {
         // @formatter:off
         http {
             authorizeHttpRequests {
-                authorize("/profile/**", hasAuthority("FACTOR_OTT")) // <1>
+                authorize("/profile/**", hasAuthority(GrantedAuthorities.FACTOR_OTT_AUTHORITY)) // <1>
                 authorize(anyRequest, authenticated)
             }
             formLogin { }
diff --git a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/servletauthenticationauthentication/CopyAuthoritiesTests.kt b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/servletauthenticationauthentication/CopyAuthoritiesTests.kt
index af25a3a346..3d96844b75 100644
--- a/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/servletauthenticationauthentication/CopyAuthoritiesTests.kt
+++ b/docs/src/test/kotlin/org/springframework/security/kt/docs/servlet/authentication/servletauthenticationauthentication/CopyAuthoritiesTests.kt
@@ -10,6 +10,7 @@ import org.springframework.security.authentication.TestingAuthenticationToken
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
 import org.springframework.security.authentication.ott.OneTimeTokenAuthentication
 import org.springframework.security.core.Authentication
+import org.springframework.security.core.GrantedAuthorities
 import org.springframework.security.core.authority.AuthorityUtils
 import org.springframework.security.core.context.SecurityContextHolder
 
@@ -17,10 +18,10 @@ class CopyAuthoritiesTests {
     @Test
     fun toBuilderWhenApplyThenCopies() {
         val previous: Authentication = UsernamePasswordAuthenticationToken("alice", "pass",
-            AuthorityUtils.createAuthorityList("FACTOR_PASSWORD"))
+            AuthorityUtils.createAuthorityList(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY))
         SecurityContextHolder.getContext().authentication = previous
         var latest: Authentication = OneTimeTokenAuthentication("bob",
-            AuthorityUtils.createAuthorityList("FACTOR_OTT"))
+            AuthorityUtils.createAuthorityList(GrantedAuthorities.FACTOR_OTT_AUTHORITY))
         val authenticationManager: AuthenticationManager = Mockito.mock(AuthenticationManager::class.java)
         BDDMockito.given(authenticationManager.authenticate(ArgumentMatchers.any())).willReturn(latest)
         val authenticationRequest: Authentication = TestingAuthenticationToken("user", "pass")
@@ -33,7 +34,7 @@ class CopyAuthoritiesTests {
             }.build()
         }
         // end::springSecurity[]
-        SecurityAssertions.assertThat(latestResult).hasAuthorities("FACTOR_PASSWORD", "FACTOR_OTT")
+        SecurityAssertions.assertThat(latestResult).hasAuthorities(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY, GrantedAuthorities.FACTOR_OTT_AUTHORITY)
         SecurityContextHolder.clearContext()
     }
 }
diff --git a/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java b/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java
index ea30b69168..11e5310510 100644
--- a/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java
+++ b/ldap/src/main/java/org/springframework/security/ldap/authentication/AbstractLdapAuthenticationProvider.java
@@ -32,6 +32,7 @@ import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -52,7 +53,7 @@ import org.springframework.util.StringUtils;
  */
 public abstract class AbstractLdapAuthenticationProvider implements AuthenticationProvider, MessageSourceAware {
 
-	private static final String AUTHORITY = "FACTOR_PASSWORD";
+	private static final String AUTHORITY = GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY;
 
 	protected final Log logger = LogFactory.getLog(getClass());
 
diff --git a/ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java b/ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java
index af5781cd42..fdc5d85842 100644
--- a/ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java
+++ b/ldap/src/test/java/org/springframework/security/ldap/authentication/LdapAuthenticationProviderTests.java
@@ -29,6 +29,7 @@ import org.springframework.security.authentication.InternalAuthenticationService
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -164,7 +165,7 @@ public class LdapAuthenticationProviderTests {
 		LdapAuthenticationProvider ldapProvider = new LdapAuthenticationProvider(authenticator, populator);
 		UsernamePasswordAuthenticationToken request = new UsernamePasswordAuthenticationToken("ben", "benspassword");
 		Authentication result = ldapProvider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority("FACTOR_PASSWORD");
+		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY);
 	}
 
 	class MockAuthenticator implements LdapAuthenticator {
diff --git a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProvider.java b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProvider.java
index a267154930..8d369db4af 100644
--- a/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProvider.java
+++ b/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProvider.java
@@ -24,6 +24,7 @@ import java.util.Map;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
@@ -69,7 +70,7 @@ import org.springframework.util.Assert;
  */
 public class OAuth2LoginAuthenticationProvider implements AuthenticationProvider {
 
-	private static final String AUTHORITY = "FACTOR_AUTHORIZATION_CODE";
+	private static final String AUTHORITY = GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY;
 
 	private final OAuth2AuthorizationCodeAuthenticationProvider authorizationCodeAuthenticationProvider;
 
diff --git a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProviderTests.java b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProviderTests.java
index 2cbebf4e6e..c326d53d3f 100644
--- a/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProviderTests.java
+++ b/oauth2/oauth2-client/src/test/java/org/springframework/security/oauth2/client/authentication/OAuth2LoginAuthenticationProviderTests.java
@@ -31,6 +31,7 @@ import org.mockito.stubbing.Answer;
 
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
@@ -219,7 +220,7 @@ public class OAuth2LoginAuthenticationProviderTests {
 		Authentication request = new OAuth2LoginAuthenticationToken(this.clientRegistration,
 				this.authorizationExchange);
 		Authentication result = this.authenticationProvider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority("FACTOR_AUTHORIZATION_CODE");
+		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_AUTHORIZATION_CODE_AUTHORITY);
 	}
 
 	private OAuth2AccessTokenResponse accessTokenSuccessResponse() {
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverter.java
index 680f834f9a..41b19c1f79 100644
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverter.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverter.java
@@ -21,6 +21,7 @@ import java.util.HashSet;
 
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
@@ -36,7 +37,7 @@ import org.springframework.util.Assert;
  */
 public class JwtAuthenticationConverter implements Converter<Jwt, AbstractAuthenticationToken> {
 
-	private static final String AUTHORITY = "FACTOR_BEARER";
+	private static final String AUTHORITY = GrantedAuthorities.FACTOR_BEARER_AUTHORITY;
 
 	private Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
 
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java
index 64cfbfb55c..d8e2fa9bff 100644
--- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java
+++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProvider.java
@@ -28,6 +28,7 @@ import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.AuthenticationServiceException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.core.OAuth2AccessToken;
@@ -74,7 +75,7 @@ import org.springframework.util.Assert;
  */
 public final class OpaqueTokenAuthenticationProvider implements AuthenticationProvider {
 
-	private static final String AUTHORITY = "FACTOR_BEARER";
+	private static final String AUTHORITY = GrantedAuthorities.FACTOR_BEARER_AUTHORITY;
 
 	private final Log logger = LogFactory.getLog(getClass());
 
diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverterTests.java
index 439484e562..978cac4566 100644
--- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverterTests.java
+++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/JwtAuthenticationConverterTests.java
@@ -25,6 +25,7 @@ import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
@@ -115,7 +116,7 @@ public class JwtAuthenticationConverterTests {
 	public void convertWhenDefaultsThenIssuesFactor() {
 		Jwt jwt = TestJwts.jwt().build();
 		Authentication result = this.jwtAuthenticationConverter.convert(jwt);
-		SecurityAssertions.assertThat(result).hasAuthority("FACTOR_BEARER");
+		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_BEARER_AUTHORITY);
 	}
 
 }
diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProviderTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProviderTests.java
index 2d9d4507fb..2a2f3cf64f 100644
--- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProviderTests.java
+++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/authentication/OpaqueTokenAuthenticationProviderTests.java
@@ -29,6 +29,7 @@ import org.springframework.security.authentication.AuthenticationServiceExceptio
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
 import org.springframework.security.oauth2.core.OAuth2TokenIntrospectionClaimNames;
@@ -154,7 +155,7 @@ public class OpaqueTokenAuthenticationProviderTests {
 		OpaqueTokenAuthenticationProvider provider = new OpaqueTokenAuthenticationProvider(introspector);
 		Authentication request = new BearerTokenAuthenticationToken("token");
 		Authentication result = provider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority("FACTOR_BEARER");
+		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_BEARER_AUTHORITY);
 	}
 
 	static Predicate<GrantedAuthority> isScope() {
diff --git a/saml2/saml2-service-provider/src/opensaml5Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProvider.java b/saml2/saml2-service-provider/src/opensaml5Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProvider.java
index 569a033728..953aa71ecf 100644
--- a/saml2/saml2-service-provider/src/opensaml5Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProvider.java
+++ b/saml2/saml2-service-provider/src/opensaml5Main/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProvider.java
@@ -58,6 +58,7 @@ import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -113,7 +114,7 @@ import org.springframework.util.StringUtils;
  */
 public final class OpenSaml5AuthenticationProvider implements AuthenticationProvider {
 
-	private static final String AUTHORITY = "FACTOR_SAML_RESPONSE";
+	private static final String AUTHORITY = GrantedAuthorities.FACTOR_SAML_RESPONSE_AUTHORITY;
 
 	private final BaseOpenSamlAuthenticationProvider delegate;
 
diff --git a/saml2/saml2-service-provider/src/opensaml5Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProviderTests.java b/saml2/saml2-service-provider/src/opensaml5Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProviderTests.java
index a5770c728e..44c8dc8f61 100644
--- a/saml2/saml2-service-provider/src/opensaml5Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProviderTests.java
+++ b/saml2/saml2-service-provider/src/opensaml5Test/java/org/springframework/security/saml2/provider/service/authentication/OpenSaml5AuthenticationProviderTests.java
@@ -73,6 +73,7 @@ import org.opensaml.xmlsec.signature.support.SignatureConstants;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.jackson2.SecurityJackson2Modules;
@@ -990,7 +991,7 @@ public class OpenSaml5AuthenticationProviderTests {
 		Response response = TestOpenSamlObjects.signedResponseWithOneAssertion();
 		Authentication request = token(response, verifying(registration()));
 		Authentication result = this.provider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority("FACTOR_SAML_RESPONSE");
+		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_SAML_RESPONSE_AUTHORITY);
 	}
 
 	private <T extends XMLObject> T build(QName qName) {
diff --git a/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java b/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java
index fab7b43e94..2840230e73 100644
--- a/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java
+++ b/test/src/test/java/org/springframework/security/test/web/servlet/response/SecurityMockWithAuthoritiesMvcResultMatchersTests.java
@@ -27,6 +27,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -67,7 +68,7 @@ public class SecurityMockWithAuthoritiesMvcResultMatchersTests {
 		List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>();
 		grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
 		grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_SELLER"));
-		grantedAuthorities.add(new SimpleGrantedAuthority("FACTOR_PASSWORD"));
+		grantedAuthorities.add(new SimpleGrantedAuthority(GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY));
 		this.mockMvc.perform(formLogin()).andExpect(authenticated().withAuthorities(grantedAuthorities));
 	}
 
diff --git a/web/src/main/java/org/springframework/security/web/access/DelegatingMissingAuthorityAccessDeniedHandler.java b/web/src/main/java/org/springframework/security/web/access/DelegatingMissingAuthorityAccessDeniedHandler.java
index fbf2ff753c..7260146b38 100644
--- a/web/src/main/java/org/springframework/security/web/access/DelegatingMissingAuthorityAccessDeniedHandler.java
+++ b/web/src/main/java/org/springframework/security/web/access/DelegatingMissingAuthorityAccessDeniedHandler.java
@@ -64,8 +64,8 @@ import org.springframework.util.Assert;
  *
  * <code>
  *     AccessDeniedHandler handler = DelegatingMissingAuthorityAccessDeniedHandler.builder()
- *         .addEntryPointFor(new LoginUrlAuthenticationEntryPoint("/login"), "FACTOR_OTT")
- *         .addEntryPointFor(new MyCustomEntryPoint(), "FACTOR_PASSWORD")
+ *         .addEntryPointFor(new LoginUrlAuthenticationEntryPoint("/login"), GrantedAuthorities.FACTOR_OTT_AUTHORITY)
+ *         .addEntryPointFor(new MyCustomEntryPoint(), GrantedAuthorities.FACTOR_PASSWORD_AUTHORITY)
  *         .build();
  * </code>
  *
diff --git a/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationProvider.java b/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationProvider.java
index fbf906c5a0..1b89616caf 100644
--- a/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationProvider.java
+++ b/webauthn/src/main/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationProvider.java
@@ -23,6 +23,7 @@ import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -44,7 +45,7 @@ import org.springframework.util.Assert;
  */
 public class WebAuthnAuthenticationProvider implements AuthenticationProvider {
 
-	private static final String AUTHORITY = "FACTOR_WEBAUTHN";
+	private static final String AUTHORITY = GrantedAuthorities.FACTOR_WEBAUTHN_AUTHORITY;
 
 	private final WebAuthnRelyingPartyOperations relyingPartyOperations;
 
diff --git a/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationProviderTests.java b/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationProviderTests.java
index f7f18b0851..613e536c18 100644
--- a/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationProviderTests.java
+++ b/webauthn/src/test/java/org/springframework/security/web/webauthn/authentication/WebAuthnAuthenticationProviderTests.java
@@ -20,6 +20,7 @@ import org.junit.jupiter.api.Test;
 
 import org.springframework.security.authentication.SecurityAssertions;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthorities;
 import org.springframework.security.core.userdetails.PasswordEncodedUser;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.web.webauthn.api.AuthenticatorAssertionResponse;
@@ -55,7 +56,7 @@ class WebAuthnAuthenticationProviderTests {
 		given(users.loadUserByUsername(any())).willReturn(PasswordEncodedUser.user());
 		given(operations.authenticate(any())).willReturn(TestPublicKeyCredentialUserEntities.userEntity().build());
 		Authentication result = provider.authenticate(request);
-		SecurityAssertions.assertThat(result).hasAuthority("FACTOR_WEBAUTHN");
+		SecurityAssertions.assertThat(result).hasAuthority(GrantedAuthorities.FACTOR_WEBAUTHN_AUTHORITY);
 	}
 
 }