OAuth2 Authorization Endpoint

OAuth2AuthorizationEndpointConfigurer provides the ability to customize the OAuth2 Authorization endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 authorization requests.

OAuth2AuthorizationEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.authorizationEndpoint(authorizationEndpoint ->
			authorizationEndpoint
				.authorizationRequestConverter(authorizationRequestConverter)   (1)
				.authenticationProvider(authenticationProvider) (2)
				.authorizationResponseHandler(authorizationResponseHandler) (3)
				.errorResponseHandler(errorResponseHandler) (4)
				.consentPage("/oauth2/v1/authorize")    (5)
		);

	return http.build();
}
1 authorizationRequestConverter(): The AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 authorization request (or consent) from HttpServletRequest to an instance of OAuth2AuthorizationCodeRequestAuthenticationToken.
2 authenticationProvider(): The AuthenticationProvider (main processor) used for authenticating the OAuth2AuthorizationCodeRequestAuthenticationToken. (One or more may be added to replace the defaults.)
3 authorizationResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2AuthorizationCodeRequestAuthenticationToken and returning the OAuth2AuthorizationResponse.
4 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthorizationCodeRequestAuthenticationException and returning the OAuth2Error response.
5 consentPage(): The URI of the custom consent page to redirect resource owners to if consent is required during the authorization request flow.

OAuth2AuthorizationEndpointConfigurer configures the OAuth2AuthorizationEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2AuthorizationEndpointFilter is the Filter that processes OAuth2 authorization requests (and consents).

OAuth2AuthorizationEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — An OAuth2AuthorizationCodeRequestAuthenticationConverter.

  • AuthenticationManager — An AuthenticationManager composed of OAuth2AuthorizationCodeRequestAuthenticationProvider.

  • AuthenticationSuccessHandler — An internal implementation that handles an “authenticated” OAuth2AuthorizationCodeRequestAuthenticationToken and returns the OAuth2AuthorizationResponse.

  • AuthenticationFailureHandler — An internal implementation that uses the OAuth2Error associated with the OAuth2AuthorizationCodeRequestAuthenticationException and returns the OAuth2Error response.

OAuth2 Token Endpoint

OAuth2TokenEndpointConfigurer provides the ability to customize the OAuth2 Token endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 access token requests.

OAuth2TokenEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.tokenEndpoint(tokenEndpoint ->
			tokenEndpoint
				.accessTokenRequestConverter(accessTokenRequestConverter)   (1)
				.authenticationProvider(authenticationProvider) (2)
				.accessTokenResponseHandler(accessTokenResponseHandler) (3)
				.errorResponseHandler(errorResponseHandler) (4)
		);

	return http.build();
}
1 accessTokenRequestConverter(): The AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 access token request from HttpServletRequest to an instance of OAuth2AuthorizationGrantAuthenticationToken.
2 authenticationProvider(): The AuthenticationProvider (main processor) used for authenticating the OAuth2AuthorizationGrantAuthenticationToken. (One or more may be added to replace the defaults.)
3 accessTokenResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an OAuth2AccessTokenAuthenticationToken and returning the OAuth2AccessTokenResponse.
4 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the OAuth2Error response.

OAuth2TokenEndpointConfigurer configures the OAuth2TokenEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2TokenEndpointFilter is the Filter that processes OAuth2 access token requests.

The supported authorization grant types are authorization_code, refresh_token, and client_credentials.

OAuth2TokenEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — A DelegatingAuthenticationConverter composed of OAuth2AuthorizationCodeAuthenticationConverter, OAuth2RefreshTokenAuthenticationConverter, and OAuth2ClientCredentialsAuthenticationConverter.

  • AuthenticationManager — An AuthenticationManager composed of OAuth2AuthorizationCodeAuthenticationProvider, OAuth2RefreshTokenAuthenticationProvider, and OAuth2ClientCredentialsAuthenticationProvider.

  • AuthenticationSuccessHandler — An internal implementation that handles an OAuth2AccessTokenAuthenticationToken and returns the OAuth2AccessTokenResponse.

  • AuthenticationFailureHandler — An internal implementation that uses the OAuth2Error associated with the OAuth2AuthenticationException and returns the OAuth2Error response.

OAuth2 Token Introspection Endpoint

OAuth2TokenIntrospectionEndpointConfigurer provides the ability to customize the OAuth2 Token Introspection endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 introspection requests.

OAuth2TokenIntrospectionEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
			tokenIntrospectionEndpoint
				.introspectionRequestConverter(introspectionRequestConverter)   (1)
				.authenticationProvider(authenticationProvider) (2)
				.introspectionResponseHandler(introspectionResponseHandler) (3)
				.errorResponseHandler(errorResponseHandler) (4)
		);

	return http.build();
}
1 introspectionRequestConverter(): The AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 introspection request from HttpServletRequest to an instance of OAuth2TokenIntrospectionAuthenticationToken.
2 authenticationProvider(): The AuthenticationProvider (main processor) used for authenticating the OAuth2TokenIntrospectionAuthenticationToken. (One or more may be added to replace the defaults.)
3 introspectionResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2TokenIntrospectionAuthenticationToken and returning the OAuth2TokenIntrospection response.
4 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the OAuth2Error response.

OAuth2TokenIntrospectionEndpointConfigurer configures the OAuth2TokenIntrospectionEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2TokenIntrospectionEndpointFilter is the Filter that processes OAuth2 introspection requests.

OAuth2TokenIntrospectionEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — An internal implementation that returns the OAuth2TokenIntrospectionAuthenticationToken.

  • AuthenticationManager — An AuthenticationManager composed of OAuth2TokenIntrospectionAuthenticationProvider.

  • AuthenticationSuccessHandler — An internal implementation that handles an “authenticated” OAuth2TokenIntrospectionAuthenticationToken and returns the OAuth2TokenIntrospection response.

  • AuthenticationFailureHandler — An internal implementation that uses the OAuth2Error associated with the OAuth2AuthenticationException and returns the OAuth2Error response.

OAuth2 Token Revocation Endpoint

OAuth2TokenRevocationEndpointConfigurer provides the ability to customize the OAuth2 Token Revocation endpoint. It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 revocation requests.

OAuth2TokenRevocationEndpointConfigurer provides the following configuration options:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.tokenRevocationEndpoint(tokenRevocationEndpoint ->
			tokenRevocationEndpoint
				.revocationRequestConverter(revocationRequestConverter)   (1)
				.authenticationProvider(authenticationProvider) (2)
				.revocationResponseHandler(revocationResponseHandler) (3)
				.errorResponseHandler(errorResponseHandler) (4)
		);

	return http.build();
}
1 revocationRequestConverter(): The AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 revocation request from HttpServletRequest to an instance of OAuth2TokenRevocationAuthenticationToken.
2 authenticationProvider(): The AuthenticationProvider (main processor) used for authenticating the OAuth2TokenRevocationAuthenticationToken. (One or more may be added to replace the defaults.)
3 revocationResponseHandler(): The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2TokenRevocationAuthenticationToken and returning the OAuth2 revocation response.
4 errorResponseHandler(): The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the OAuth2Error response.

OAuth2TokenRevocationEndpointConfigurer configures the OAuth2TokenRevocationEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2TokenRevocationEndpointFilter is the Filter that processes OAuth2 revocation requests.

OAuth2TokenRevocationEndpointFilter is configured with the following defaults:

  • AuthenticationConverter — An internal implementation that returns the OAuth2TokenRevocationAuthenticationToken.

  • AuthenticationManager — An AuthenticationManager composed of OAuth2TokenRevocationAuthenticationProvider.

  • AuthenticationSuccessHandler — An internal implementation that handles an “authenticated” OAuth2TokenRevocationAuthenticationToken and returns the OAuth2 revocation response.

  • AuthenticationFailureHandler — An internal implementation that uses the OAuth2Error associated with the OAuth2AuthenticationException and returns the OAuth2Error response.

OAuth2 Authorization Server Metadata Endpoint

OAuth2AuthorizationServerConfigurer provides support for the OAuth2 Authorization Server Metadata endpoint.

OAuth2AuthorizationServerConfigurer configures the OAuth2AuthorizationServerMetadataEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OAuth2AuthorizationServerMetadataEndpointFilter is the Filter that processes OAuth2 authorization server metadata requests and returns the OAuth2AuthorizationServerMetadata response.

JWK Set Endpoint

OAuth2AuthorizationServerConfigurer provides support for the JWK Set endpoint.

OAuth2AuthorizationServerConfigurer configures the NimbusJwkSetEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. NimbusJwkSetEndpointFilter is the Filter that returns the JWK Set.

The JWK Set endpoint is configured only if a JWKSource<SecurityContext> @Bean is registered.

OpenID Connect 1.0 Provider Configuration Endpoint

OidcConfigurer provides support for the OpenID Connect 1.0 Provider Configuration endpoint.

OidcConfigurer configures the OidcProviderConfigurationEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OidcProviderConfigurationEndpointFilter is the Filter that returns the OidcProviderConfiguration response.

OpenID Connect 1.0 UserInfo Endpoint

OidcUserInfoEndpointConfigurer provides the ability to customize the OpenID Connect 1.0 UserInfo endpoint. It defines extension points that let you customize the UserInfo response.

OidcUserInfoEndpointConfigurer provides the following configuration option:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.oidc(oidc ->
			oidc
				.userInfoEndpoint(userInfoEndpoint ->
					userInfoEndpoint.userInfoMapper(userInfoMapper)   (1)
				)
		);

	return http.build();
}
1 userInfoMapper(): The Function used to extract claims from OidcUserInfoAuthenticationContext to an instance of OidcUserInfo.

OidcUserInfoEndpointConfigurer configures the OidcUserInfoEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OidcUserInfoEndpointFilter is the Filter that processes UserInfo requests and returns the OidcUserInfo response.

OidcUserInfoEndpointFilter is configured with the following defaults:

  • AuthenticationManager — An AuthenticationManager composed of OidcUserInfoAuthenticationProvider, which is associated with an internal implementation of userInfoMapper that extracts standard claims from the ID Token based on the scopes requested during authorization.

You can customize the ID Token by providing an OAuth2TokenCustomizer<JwtEncodingContext> @Bean.

The OpenID Connect 1.0 UserInfo endpoint is an OAuth2 protected resource, which REQUIRES an access token to be sent as a bearer token in the UserInfo request. The following example shows how to enable the OAuth2 resource server configuration:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	...

	http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);

	return http.build();
}

@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
	return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}
A JwtDecoder @Bean is REQUIRED for the OpenID Connect 1.0 UserInfo endpoint.
The guide How-to: Customize the OpenID Connect 1.0 UserInfo response contains examples of customizing the UserInfo endpoint.

OpenID Connect 1.0 Client Registration Endpoint

OidcClientRegistrationEndpointConfigurer configures the OpenID Connect 1.0 Client Registration endpoint. The following example shows how to enable (disabled by default) the OpenID Connect 1.0 Client Registration endpoint:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.oidc(oidc ->
			oidc
				.clientRegistrationEndpoint(Customizer.withDefaults())
		);

	return http.build();
}
The OpenID Connect 1.0 Client Registration endpoint is disabled by default because many deployments do not require dynamic client registration.

OidcClientRegistrationEndpointConfigurer configures the OidcClientRegistrationEndpointFilter and registers it with the OAuth2 authorization server SecurityFilterChain @Bean. OidcClientRegistrationEndpointFilter is the Filter that processes Client Registration requests and returns the OidcClientRegistration response.

OidcClientRegistrationEndpointFilter also processes Client Read requests and returns the OidcClientRegistration response.

OidcClientRegistrationEndpointFilter is configured with the following defaults:

  • AuthenticationManager — An AuthenticationManager composed of OidcClientRegistrationAuthenticationProvider.

The OpenID Connect 1.0 Client Registration endpoint is an OAuth2 protected resource, which REQUIRES an access token to be sent as a bearer token in the Client Registration (or Client Read) request.

The access token in a Client Registration request REQUIRES the OAuth2 scope client.create.
The access token in a Client Read request REQUIRES the OAuth2 scope client.read.

The following example shows how to enable the OAuth2 resource server configuration:

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	...

	http.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);

	return http.build();
}

@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
	return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}
A JwtDecoder @Bean is REQUIRED for the OpenID Connect 1.0 Client Registration endpoint.