This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Authorization Server 1.3.3!

Overview

This site contains reference documentation and how-to guides for Spring Authorization Server.

Introducing Spring Authorization Server

Spring Authorization Server is a framework that provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It is built on top of Spring Security to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.

Use Cases

The following list provides some use cases for using Spring Authorization Server compared to using an open source or commercial OAuth2 or OpenID Connect 1.0 Provider product.

Provides full control of configuration and customization when advanced customization scenarios are required.
Preference for a light-weight authorization server compared to a commercial product that includes all the "bells and whistles".
Potential savings in software licensing and/or hosting costs.
Quick startup and ease of use during development using the familiar Spring programming model.

Feature List

Spring Authorization Server supports the following features:

Category Feature Related specifications

Category	Feature	Related specifications
Authorization Grant	Authorization Code User Consent Client Credentials Refresh Token Device Code User Consent	The OAuth 2.1 Authorization Framework (draft) Authorization Code Grant Client Credentials Grant Refresh Token Grant OpenID Connect Core 1.0 (spec) Authorization Code Flow OAuth 2.0 Device Authorization Grant (spec) Device Flow
Token Formats	Self-contained (JWT) Reference (Opaque)	JSON Web Token (JWT) (RFC 7519) JSON Web Signature (JWS) (RFC 7515)
Client Authentication	`client_secret_basic` `client_secret_post` `client_secret_jwt` `private_key_jwt` `none` (public clients)	The OAuth 2.1 Authorization Framework (Client Authentication) JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication (RFC 7523) Proof Key for Code Exchange by OAuth Public Clients (PKCE) (RFC 7636)
Protocol Endpoints	OAuth2 Authorization Endpoint OAuth2 Device Authorization Endpoint OAuth2 Device Verification Endpoint OAuth2 Token Endpoint OAuth2 Token Introspection Endpoint OAuth2 Token Revocation Endpoint OAuth2 Authorization Server Metadata Endpoint JWK Set Endpoint OpenID Connect 1.0 Provider Configuration Endpoint OpenID Connect 1.0 Logout Endpoint OpenID Connect 1.0 UserInfo Endpoint OpenID Connect 1.0 Client Registration Endpoint	The OAuth 2.1 Authorization Framework (draft) Authorization Endpoint Token Endpoint OAuth 2.0 Device Authorization Grant (RFC 8628) Device Authorization Endpoint Device Verification Endpoint OAuth 2.0 Token Introspection (RFC 7662) OAuth 2.0 Token Revocation (RFC 7009) OAuth 2.0 Authorization Server Metadata (RFC 8414) JSON Web Key (JWK) (RFC 7517) OpenID Connect Discovery 1.0 (spec) Provider Configuration Endpoint OpenID Connect RP-Initiated Logout 1.0 (spec) Logout Endpoint OpenID Connect Core 1.0 (spec) UserInfo Endpoint OpenID Connect Dynamic Client Registration 1.0 (spec) Client Registration Endpoint Client Configuration Endpoint

Authorization Grant

Authorization Code
- User Consent
Client Credentials
Refresh Token
Device Code
- User Consent

The OAuth 2.1 Authorization Framework (draft)
OpenID Connect Core 1.0 (spec)
- Authorization Code Flow
OAuth 2.0 Device Authorization Grant (spec)
- Device Flow

Token Formats

Self-contained (JWT)
Reference (Opaque)

JSON Web Token (JWT) (RFC 7519)
JSON Web Signature (JWS) (RFC 7515)

Client Authentication

client_secret_basic
client_secret_post
client_secret_jwt
private_key_jwt
none (public clients)

The OAuth 2.1 Authorization Framework (Client Authentication)
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication (RFC 7523)
Proof Key for Code Exchange by OAuth Public Clients (PKCE) (RFC 7636)

Protocol Endpoints

The OAuth 2.1 Authorization Framework (draft)
- Authorization Endpoint
- Token Endpoint
OAuth 2.0 Device Authorization Grant (RFC 8628)
- Device Authorization Endpoint
- Device Verification Endpoint
OAuth 2.0 Token Introspection (RFC 7662)
OAuth 2.0 Token Revocation (RFC 7009)
OAuth 2.0 Authorization Server Metadata (RFC 8414)
JSON Web Key (JWK) (RFC 7517)
OpenID Connect Discovery 1.0 (spec)
- Provider Configuration Endpoint
OpenID Connect RP-Initiated Logout 1.0 (spec)
- Logout Endpoint
OpenID Connect Core 1.0 (spec)
- UserInfo Endpoint
OpenID Connect Dynamic Client Registration 1.0 (spec)
- Client Registration Endpoint
- Client Configuration Endpoint