This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Authorization Server 1.4.0!

Overview

This site contains reference documentation and how-to guides for Spring Authorization Server.

Introducing Spring Authorization Server

Spring Authorization Server is a framework that provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It is built on top of Spring Security to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.

Use Cases

The following list provides some use cases for using Spring Authorization Server compared to using an open source or commercial OAuth2 or OpenID Connect 1.0 Provider product.

  • Provides full control of configuration and customization when advanced customization scenarios are required.

  • Preference for a light-weight authorization server compared to a commercial product that includes all the "bells and whistles".

  • Potential savings in software licensing and/or hosting costs.

  • Quick startup and ease of use during development using the familiar Spring programming model.

Feature List

Spring Authorization Server supports the following features:

Category Feature Related specifications
  • Self-contained (JWT)

  • Reference (Opaque)

  • client_secret_basic

  • client_secret_post

  • client_secret_jwt

  • private_key_jwt

  • tls_client_auth

  • self_signed_tls_client_auth

  • none (public clients)

  • The OAuth 2.1 Authorization Framework (Client Authentication)

  • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication (RFC 7523)

  • OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705)

  • Proof Key for Code Exchange by OAuth Public Clients (PKCE) (RFC 7636)