Protocol Endpoints
OAuth2 Authorization Endpoint
OAuth2AuthorizationEndpointConfigurer
provides the ability to customize the OAuth2 Authorization endpoint.
It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 authorization requests.
OAuth2AuthorizationEndpointConfigurer
provides the following configuration options:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.authorizationRequestConverter(authorizationRequestConverter) (1)
.authorizationRequestConverters(authorizationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.authorizationResponseHandler(authorizationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.consentPage("/oauth2/v1/authorize") (7)
)
);
return http.build();
}
1 | authorizationRequestConverter() : Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 authorization request (or consent) from HttpServletRequest to an instance of OAuth2AuthorizationCodeRequestAuthenticationToken or OAuth2AuthorizationConsentAuthenticationToken . |
2 | authorizationRequestConverters() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter 's allowing the ability to add, remove, or customize a specific AuthenticationConverter . |
3 | authenticationProvider() : Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2AuthorizationCodeRequestAuthenticationToken or OAuth2AuthorizationConsentAuthenticationToken . |
4 | authenticationProviders() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider 's allowing the ability to add, remove, or customize a specific AuthenticationProvider . |
5 | authorizationResponseHandler() : The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2AuthorizationCodeRequestAuthenticationToken and returning the OAuth2AuthorizationResponse. |
6 | errorResponseHandler() : The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthorizationCodeRequestAuthenticationException and returning the OAuth2Error response. |
7 | consentPage() : The URI of the custom consent page to redirect resource owners to if consent is required during the authorization request flow. |
OAuth2AuthorizationEndpointConfigurer
configures the OAuth2AuthorizationEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
OAuth2AuthorizationEndpointFilter
is the Filter
that processes OAuth2 authorization requests (and consents).
OAuth2AuthorizationEndpointFilter
is configured with the following defaults:
-
AuthenticationConverter
— ADelegatingAuthenticationConverter
composed ofOAuth2AuthorizationCodeRequestAuthenticationConverter
andOAuth2AuthorizationConsentAuthenticationConverter
. -
AuthenticationManager
— AnAuthenticationManager
composed ofOAuth2AuthorizationCodeRequestAuthenticationProvider
andOAuth2AuthorizationConsentAuthenticationProvider
. -
AuthenticationSuccessHandler
— An internal implementation that handles an “authenticated”OAuth2AuthorizationCodeRequestAuthenticationToken
and returns theOAuth2AuthorizationResponse
. -
AuthenticationFailureHandler
— An internal implementation that uses theOAuth2Error
associated with theOAuth2AuthorizationCodeRequestAuthenticationException
and returns theOAuth2Error
response.
Customizing Authorization Request Validation
OAuth2AuthorizationCodeRequestAuthenticationValidator
is the default validator used for validating specific OAuth2 authorization request parameters used in the Authorization Code Grant.
The default implementation validates the redirect_uri
and scope
parameters.
If validation fails, an OAuth2AuthorizationCodeRequestAuthenticationException
is thrown.
OAuth2AuthorizationCodeRequestAuthenticationProvider
provides the ability to override the default authorization request validation by supplying a custom authentication validator of type Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>
to setAuthenticationValidator()
.
OAuth2AuthorizationCodeRequestAuthenticationContext holds the OAuth2AuthorizationCodeRequestAuthenticationToken , which contains the OAuth2 authorization request parameters.
|
If validation fails, the authentication validator MUST throw OAuth2AuthorizationCodeRequestAuthenticationException .
|
A common use case during the development life cycle phase is to allow for localhost
in the redirect_uri
parameter.
The following example shows how to configure OAuth2AuthorizationCodeRequestAuthenticationProvider
with a custom authentication validator that allows for localhost
in the redirect_uri
parameter:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.authorizationEndpoint(authorizationEndpoint ->
authorizationEndpoint
.authenticationProviders(configureAuthenticationValidator())
)
);
return http.build();
}
private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) -> {
if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
// Override default redirect_uri validator
new CustomRedirectUriValidator()
// Reuse default scope validator
.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);
((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
.setAuthenticationValidator(authenticationValidator);
}
});
}
static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {
@Override
public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
authenticationContext.getAuthentication();
RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();
// Use exact string matching when comparing client redirect URIs against pre-registered URIs
if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
}
}
}
OAuth2 Device Authorization Endpoint
OAuth2DeviceAuthorizationEndpointConfigurer
provides the ability to customize the OAuth2 Device Authorization endpoint.
It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 device authorization requests.
OAuth2DeviceAuthorizationEndpointConfigurer
provides the following configuration options:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.deviceAuthorizationEndpoint(deviceAuthorizationEndpoint ->
deviceAuthorizationEndpoint
.deviceAuthorizationRequestConverter(deviceAuthorizationRequestConverter) (1)
.deviceAuthorizationRequestConverters(deviceAuthorizationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.deviceAuthorizationResponseHandler(deviceAuthorizationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.verificationUri("/oauth2/v1/device_verification") (7)
)
);
return http.build();
}
1 | deviceAuthorizationRequestConverter() : Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 device authorization request from HttpServletRequest to an instance of OAuth2DeviceAuthorizationRequestAuthenticationToken . |
2 | deviceAuthorizationRequestConverters() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter 's allowing the ability to add, remove, or customize a specific AuthenticationConverter . |
3 | authenticationProvider() : Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2DeviceAuthorizationRequestAuthenticationToken . |
4 | authenticationProviders() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider 's allowing the ability to add, remove, or customize a specific AuthenticationProvider . |
5 | deviceAuthorizationResponseHandler() : The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2DeviceAuthorizationRequestAuthenticationToken and returning the OAuth2DeviceAuthorizationResponse. |
6 | errorResponseHandler() : The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the OAuth2Error response. |
7 | verificationUri() : The URI of the custom end-user verification page to direct resource owners to on a secondary device. |
OAuth2DeviceAuthorizationEndpointConfigurer
configures the OAuth2DeviceAuthorizationEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
OAuth2DeviceAuthorizationEndpointFilter
is the Filter
that processes OAuth2 device authorization requests.
OAuth2DeviceAuthorizationEndpointFilter
is configured with the following defaults:
-
AuthenticationConverter
— AnOAuth2DeviceAuthorizationRequestAuthenticationConverter
. -
AuthenticationManager
— AnAuthenticationManager
composed ofOAuth2DeviceAuthorizationRequestAuthenticationProvider
. -
AuthenticationSuccessHandler
— An internal implementation that handles an “authenticated”OAuth2DeviceAuthorizationRequestAuthenticationToken
and returns theOAuth2DeviceAuthorizationResponse
. -
AuthenticationFailureHandler
— AnOAuth2ErrorAuthenticationFailureHandler
.
OAuth2 Device Verification Endpoint
OAuth2DeviceVerificationEndpointConfigurer
provides the ability to customize the OAuth2 Device Verification endpoint (or "User Interaction").
It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 device verification requests.
OAuth2DeviceVerificationEndpointConfigurer
provides the following configuration options:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.deviceVerificationEndpoint(deviceVerificationEndpoint ->
deviceVerificationEndpoint
.deviceVerificationRequestConverter(deviceVerificationRequestConverter) (1)
.deviceVerificationRequestConverters(deviceVerificationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.deviceVerificationResponseHandler(deviceVerificationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.consentPage("/oauth2/v1/consent") (7)
)
);
return http.build();
}
1 | deviceVerificationRequestConverter() : Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 device verification request (or consent) from HttpServletRequest to an instance of OAuth2DeviceVerificationAuthenticationToken or OAuth2DeviceAuthorizationConsentAuthenticationToken . |
2 | deviceVerificationRequestConverters() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter 's allowing the ability to add, remove, or customize a specific AuthenticationConverter . |
3 | authenticationProvider() : Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2DeviceVerificationAuthenticationToken or OAuth2DeviceAuthorizationConsentAuthenticationToken . |
4 | authenticationProviders() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider 's allowing the ability to add, remove, or customize a specific AuthenticationProvider . |
5 | deviceVerificationResponseHandler() : The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2DeviceVerificationAuthenticationToken and directing the resource owner to return to their device. |
6 | errorResponseHandler() : The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the error response. |
7 | consentPage() : The URI of the custom consent page to redirect resource owners to if consent is required during the device verification request flow. |
OAuth2DeviceVerificationEndpointConfigurer
configures the OAuth2DeviceVerificationEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
OAuth2DeviceVerificationEndpointFilter
is the Filter
that processes OAuth2 device verification requests (and consents).
OAuth2DeviceVerificationEndpointFilter
is configured with the following defaults:
-
AuthenticationConverter
— ADelegatingAuthenticationConverter
composed ofOAuth2DeviceVerificationAuthenticationConverter
andOAuth2DeviceAuthorizationConsentAuthenticationConverter
. -
AuthenticationManager
— AnAuthenticationManager
composed ofOAuth2DeviceVerificationAuthenticationProvider
andOAuth2DeviceAuthorizationConsentAuthenticationProvider
. -
AuthenticationSuccessHandler
— ASimpleUrlAuthenticationSuccessHandler
that handles an “authenticated”OAuth2DeviceVerificationAuthenticationToken
and redirects the user to a success page (/?success
). -
AuthenticationFailureHandler
— An internal implementation that uses theOAuth2Error
associated with theOAuth2AuthenticationException
and returns theOAuth2Error
response.
OAuth2 Token Endpoint
OAuth2TokenEndpointConfigurer
provides the ability to customize the OAuth2 Token endpoint.
It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 access token requests.
OAuth2TokenEndpointConfigurer
provides the following configuration options:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
.accessTokenRequestConverter(accessTokenRequestConverter) (1)
.accessTokenRequestConverters(accessTokenRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.accessTokenResponseHandler(accessTokenResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
);
return http.build();
}
1 | accessTokenRequestConverter() : Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 access token request from HttpServletRequest to an instance of OAuth2AuthorizationGrantAuthenticationToken . |
2 | accessTokenRequestConverters() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter 's allowing the ability to add, remove, or customize a specific AuthenticationConverter . |
3 | authenticationProvider() : Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2AuthorizationGrantAuthenticationToken . |
4 | authenticationProviders() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider 's allowing the ability to add, remove, or customize a specific AuthenticationProvider . |
5 | accessTokenResponseHandler() : The AuthenticationSuccessHandler (post-processor) used for handling an OAuth2AccessTokenAuthenticationToken and returning the OAuth2AccessTokenResponse . |
6 | errorResponseHandler() : The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the OAuth2Error response. |
OAuth2TokenEndpointConfigurer
configures the OAuth2TokenEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
OAuth2TokenEndpointFilter
is the Filter
that processes OAuth2 access token requests.
The supported authorization grant types are authorization_code
, refresh_token
, client_credentials
, urn:ietf:params:oauth:grant-type:device_code
, and urn:ietf:params:oauth:grant-type:token-exchange
.
OAuth2TokenEndpointFilter
is configured with the following defaults:
-
AuthenticationConverter
— ADelegatingAuthenticationConverter
composed ofOAuth2AuthorizationCodeAuthenticationConverter
,OAuth2RefreshTokenAuthenticationConverter
,OAuth2ClientCredentialsAuthenticationConverter
,OAuth2DeviceCodeAuthenticationConverter
, andOAuth2TokenExchangeAuthenticationConverter
. -
AuthenticationManager
— AnAuthenticationManager
composed ofOAuth2AuthorizationCodeAuthenticationProvider
,OAuth2RefreshTokenAuthenticationProvider
,OAuth2ClientCredentialsAuthenticationProvider
,OAuth2DeviceCodeAuthenticationProvider
, andOAuth2TokenExchangeAuthenticationProvider
. -
AuthenticationSuccessHandler
— AnOAuth2AccessTokenResponseAuthenticationSuccessHandler
. -
AuthenticationFailureHandler
— AnOAuth2ErrorAuthenticationFailureHandler
.
Customizing Client Credentials Grant Request Validation
OAuth2ClientCredentialsAuthenticationValidator
is the default validator used for validating specific OAuth2 Client Credentials Grant request parameters.
The default implementation validates the scope
parameter.
If validation fails, an OAuth2AuthenticationException
is thrown.
OAuth2ClientCredentialsAuthenticationProvider
provides the ability to override the default request validation by supplying a custom authentication validator of type Consumer<OAuth2ClientCredentialsAuthenticationContext>
to setAuthenticationValidator()
.
OAuth2ClientCredentialsAuthenticationContext holds the OAuth2ClientCredentialsAuthenticationToken , which contains the OAuth2 Client Credentials Grant request parameters.
|
If validation fails, the authentication validator MUST throw OAuth2AuthenticationException .
|
The following example shows how to configure OAuth2ClientCredentialsAuthenticationProvider
with a custom authentication validator that overrides the default scope
validation:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenEndpoint(tokenEndpoint ->
tokenEndpoint
.authenticationProviders(configureAuthenticationValidator())
)
);
return http.build();
}
private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) -> {
if (authenticationProvider instanceof OAuth2ClientCredentialsAuthenticationProvider) {
Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator =
new CustomScopeValidator();
// Override default scope validation
((OAuth2ClientCredentialsAuthenticationProvider) authenticationProvider)
.setAuthenticationValidator(authenticationValidator);
}
});
}
static class CustomScopeValidator implements Consumer<OAuth2ClientCredentialsAuthenticationContext> {
@Override
public void accept(OAuth2ClientCredentialsAuthenticationContext authenticationContext) {
OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
authenticationContext.getAuthentication();
Set<String> requestedScopes = clientCredentialsAuthentication.getScopes();
RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
Set<String> allowedScopes = registeredClient.getScopes();
// TODO Implement scope validation
}
}
OAuth2 Token Introspection Endpoint
OAuth2TokenIntrospectionEndpointConfigurer
provides the ability to customize the OAuth2 Token Introspection endpoint.
It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 introspection requests.
OAuth2TokenIntrospectionEndpointConfigurer
provides the following configuration options:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
tokenIntrospectionEndpoint
.introspectionRequestConverter(introspectionRequestConverter) (1)
.introspectionRequestConverters(introspectionRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.introspectionResponseHandler(introspectionResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
);
return http.build();
}
1 | introspectionRequestConverter() : Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 introspection request from HttpServletRequest to an instance of OAuth2TokenIntrospectionAuthenticationToken . |
2 | introspectionRequestConverters() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter 's allowing the ability to add, remove, or customize a specific AuthenticationConverter . |
3 | authenticationProvider() : Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2TokenIntrospectionAuthenticationToken . |
4 | authenticationProviders() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider 's allowing the ability to add, remove, or customize a specific AuthenticationProvider . |
5 | introspectionResponseHandler() : The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2TokenIntrospectionAuthenticationToken and returning the OAuth2TokenIntrospection response. |
6 | errorResponseHandler() : The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the OAuth2Error response. |
OAuth2TokenIntrospectionEndpointConfigurer
configures the OAuth2TokenIntrospectionEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
OAuth2TokenIntrospectionEndpointFilter
is the Filter
that processes OAuth2 introspection requests.
OAuth2TokenIntrospectionEndpointFilter
is configured with the following defaults:
-
AuthenticationConverter
— AnOAuth2TokenIntrospectionAuthenticationConverter
. -
AuthenticationManager
— AnAuthenticationManager
composed ofOAuth2TokenIntrospectionAuthenticationProvider
. -
AuthenticationSuccessHandler
— An internal implementation that handles an “authenticated”OAuth2TokenIntrospectionAuthenticationToken
and returns theOAuth2TokenIntrospection
response. -
AuthenticationFailureHandler
— AnOAuth2ErrorAuthenticationFailureHandler
.
OAuth2 Token Revocation Endpoint
OAuth2TokenRevocationEndpointConfigurer
provides the ability to customize the OAuth2 Token Revocation endpoint.
It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for OAuth2 revocation requests.
OAuth2TokenRevocationEndpointConfigurer
provides the following configuration options:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.tokenRevocationEndpoint(tokenRevocationEndpoint ->
tokenRevocationEndpoint
.revocationRequestConverter(revocationRequestConverter) (1)
.revocationRequestConverters(revocationRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.revocationResponseHandler(revocationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
);
return http.build();
}
1 | revocationRequestConverter() : Adds an AuthenticationConverter (pre-processor) used when attempting to extract an OAuth2 revocation request from HttpServletRequest to an instance of OAuth2TokenRevocationAuthenticationToken . |
2 | revocationRequestConverters() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter 's allowing the ability to add, remove, or customize a specific AuthenticationConverter . |
3 | authenticationProvider() : Adds an AuthenticationProvider (main processor) used for authenticating the OAuth2TokenRevocationAuthenticationToken . |
4 | authenticationProviders() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider 's allowing the ability to add, remove, or customize a specific AuthenticationProvider . |
5 | revocationResponseHandler() : The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OAuth2TokenRevocationAuthenticationToken and returning the OAuth2 revocation response. |
6 | errorResponseHandler() : The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the OAuth2Error response. |
OAuth2TokenRevocationEndpointConfigurer
configures the OAuth2TokenRevocationEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
OAuth2TokenRevocationEndpointFilter
is the Filter
that processes OAuth2 revocation requests.
OAuth2TokenRevocationEndpointFilter
is configured with the following defaults:
-
AuthenticationConverter
— AnOAuth2TokenRevocationAuthenticationConverter
. -
AuthenticationManager
— AnAuthenticationManager
composed ofOAuth2TokenRevocationAuthenticationProvider
. -
AuthenticationSuccessHandler
— An internal implementation that handles an “authenticated”OAuth2TokenRevocationAuthenticationToken
and returns the OAuth2 revocation response. -
AuthenticationFailureHandler
— AnOAuth2ErrorAuthenticationFailureHandler
.
OAuth2 Authorization Server Metadata Endpoint
OAuth2AuthorizationServerMetadataEndpointConfigurer
provides the ability to customize the OAuth2 Authorization Server Metadata endpoint.
It defines an extension point that lets you customize the OAuth2 Authorization Server Metadata response.
OAuth2AuthorizationServerMetadataEndpointConfigurer
provides the following configuration option:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
authorizationServerMetadataEndpoint
.authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer) (1)
)
);
return http.build();
}
1 | authorizationServerMetadataCustomizer() : The Consumer providing access to the OAuth2AuthorizationServerMetadata.Builder allowing the ability to customize the claims of the Authorization Server’s configuration. |
OAuth2AuthorizationServerMetadataEndpointConfigurer
configures the OAuth2AuthorizationServerMetadataEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
OAuth2AuthorizationServerMetadataEndpointFilter
is the Filter
that returns the OAuth2AuthorizationServerMetadata response.
JWK Set Endpoint
OAuth2AuthorizationServerConfigurer
provides support for the JWK Set endpoint.
OAuth2AuthorizationServerConfigurer
configures the NimbusJwkSetEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
NimbusJwkSetEndpointFilter
is the Filter
that returns the JWK Set.
The JWK Set endpoint is configured only if a JWKSource<SecurityContext> @Bean is registered.
|
OpenID Connect 1.0 Provider Configuration Endpoint
OidcProviderConfigurationEndpointConfigurer
provides the ability to customize the OpenID Connect 1.0 Provider Configuration endpoint.
It defines an extension point that lets you customize the OpenID Provider Configuration response.
OidcProviderConfigurationEndpointConfigurer
provides the following configuration option:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.providerConfigurationEndpoint(providerConfigurationEndpoint ->
providerConfigurationEndpoint
.providerConfigurationCustomizer(providerConfigurationCustomizer) (1)
)
)
);
return http.build();
}
1 | providerConfigurationCustomizer() : The Consumer providing access to the OidcProviderConfiguration.Builder allowing the ability to customize the claims of the OpenID Provider’s configuration. |
OidcProviderConfigurationEndpointConfigurer
configures the OidcProviderConfigurationEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
OidcProviderConfigurationEndpointFilter
is the Filter
that returns the OidcProviderConfiguration response.
OpenID Connect 1.0 Logout Endpoint
OidcLogoutEndpointConfigurer
provides the ability to customize the OpenID Connect 1.0 Logout endpoint.
It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for RP-Initiated Logout requests.
OidcLogoutEndpointConfigurer
provides the following configuration options:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.logoutEndpoint(logoutEndpoint ->
logoutEndpoint
.logoutRequestConverter(logoutRequestConverter) (1)
.logoutRequestConverters(logoutRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.logoutResponseHandler(logoutResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
)
);
return http.build();
}
1 | logoutRequestConverter() : Adds an AuthenticationConverter (pre-processor) used when attempting to extract a Logout request from HttpServletRequest to an instance of OidcLogoutAuthenticationToken . |
2 | logoutRequestConverters() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter 's allowing the ability to add, remove, or customize a specific AuthenticationConverter . |
3 | authenticationProvider() : Adds an AuthenticationProvider (main processor) used for authenticating the OidcLogoutAuthenticationToken . |
4 | authenticationProviders() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider 's allowing the ability to add, remove, or customize a specific AuthenticationProvider . |
5 | logoutResponseHandler() : The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OidcLogoutAuthenticationToken and performing the logout. |
6 | errorResponseHandler() : The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the error response. |
OidcLogoutEndpointConfigurer
configures the OidcLogoutEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
OidcLogoutEndpointFilter
is the Filter
that processes RP-Initiated Logout requests and performs the logout of the End-User.
OidcLogoutEndpointFilter
is configured with the following defaults:
-
AuthenticationConverter
— AnOidcLogoutAuthenticationConverter
. -
AuthenticationManager
— AnAuthenticationManager
composed ofOidcLogoutAuthenticationProvider
. -
AuthenticationSuccessHandler
— AnOidcLogoutAuthenticationSuccessHandler
. -
AuthenticationFailureHandler
— An internal implementation that uses theOAuth2Error
associated with theOAuth2AuthenticationException
and returns theOAuth2Error
response.
OidcLogoutAuthenticationProvider uses a SessionRegistry to look up the SessionInformation instance associated to the End-User requesting to be logged out.
|
OidcClientInitiatedLogoutSuccessHandler is the corresponding configuration in Spring Security’s OAuth2 Client support for configuring OpenID Connect 1.0 RP-Initiated Logout.
|
Customizing Logout Request Validation
OidcLogoutAuthenticationValidator
is the default validator used for validating specific OpenID Connect RP-Initiated Logout Request parameters.
The default implementation validates the post_logout_redirect_uri
parameter.
If validation fails, an OAuth2AuthenticationException
is thrown.
OidcLogoutAuthenticationProvider
provides the ability to override the default logout request validation by supplying a custom authentication validator of type Consumer<OidcLogoutAuthenticationContext>
to setAuthenticationValidator()
.
OidcLogoutAuthenticationContext holds the OidcLogoutAuthenticationToken , which contains the logout request parameters.
|
If validation fails, the authentication validator MUST throw OAuth2AuthenticationException .
|
The following example shows how to configure OidcLogoutAuthenticationProvider
with a custom authentication validator:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.logoutEndpoint(logoutEndpoint ->
logoutEndpoint
.authenticationProviders(configureAuthenticationValidator())
)
)
);
return http.build();
}
private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
return (authenticationProviders) ->
authenticationProviders.forEach((authenticationProvider) -> {
if (authenticationProvider instanceof OidcLogoutAuthenticationProvider oidcLogoutAuthenticationProvider) {
Consumer<OidcLogoutAuthenticationContext> authenticationValidator = new CustomPostLogoutRedirectUriValidator();
oidcLogoutAuthenticationProvider.setAuthenticationValidator(authenticationValidator);
}
});
}
static class CustomPostLogoutRedirectUriValidator implements Consumer<OidcLogoutAuthenticationContext> {
@Override
public void accept(OidcLogoutAuthenticationContext authenticationContext) {
OidcLogoutAuthenticationToken oidcLogoutAuthentication =
authenticationContext.getAuthentication();
RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
// TODO
}
}
OpenID Connect 1.0 UserInfo Endpoint
OidcUserInfoEndpointConfigurer
provides the ability to customize the OpenID Connect 1.0 UserInfo endpoint.
It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for UserInfo requests.
OidcUserInfoEndpointConfigurer
provides the following configuration options:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.userInfoEndpoint(userInfoEndpoint ->
userInfoEndpoint
.userInfoRequestConverter(userInfoRequestConverter) (1)
.userInfoRequestConverters(userInfoRequestConvertersConsumer) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.userInfoResponseHandler(userInfoResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
.userInfoMapper(userInfoMapper) (7)
)
)
);
return http.build();
}
1 | userInfoRequestConverter() : Adds an AuthenticationConverter (pre-processor) used when attempting to extract an UserInfo request from HttpServletRequest to an instance of OidcUserInfoAuthenticationToken . |
2 | userInfoRequestConverters() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter 's allowing the ability to add, remove, or customize a specific AuthenticationConverter . |
3 | authenticationProvider() : Adds an AuthenticationProvider (main processor) used for authenticating the OidcUserInfoAuthenticationToken . |
4 | authenticationProviders() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider 's allowing the ability to add, remove, or customize a specific AuthenticationProvider . |
5 | userInfoResponseHandler() : The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OidcUserInfoAuthenticationToken and returning the UserInfo response. |
6 | errorResponseHandler() : The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the UserInfo Error response. |
7 | userInfoMapper() : The Function used to extract claims from OidcUserInfoAuthenticationContext to an instance of OidcUserInfo . |
OidcUserInfoEndpointConfigurer
configures the OidcUserInfoEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
OidcUserInfoEndpointFilter
is the Filter
that processes UserInfo requests and returns the OidcUserInfo response.
OidcUserInfoEndpointFilter
is configured with the following defaults:
-
AuthenticationConverter
— An internal implementation that obtains theAuthentication
from theSecurityContext
and creates anOidcUserInfoAuthenticationToken
with the principal. -
AuthenticationManager
— AnAuthenticationManager
composed ofOidcUserInfoAuthenticationProvider
, which is associated with an internal implementation ofuserInfoMapper
that extracts standard claims from the ID Token based on the scopes requested during authorization. -
AuthenticationSuccessHandler
— An internal implementation that handles an “authenticated”OidcUserInfoAuthenticationToken
and returns theOidcUserInfo
response. -
AuthenticationFailureHandler
— An internal implementation that uses theOAuth2Error
associated with theOAuth2AuthenticationException
and returns theOAuth2Error
response.
You can customize the ID Token by providing an OAuth2TokenCustomizer<JwtEncodingContext> @Bean .
|
The OpenID Connect 1.0 UserInfo endpoint is an OAuth2 protected resource, which REQUIRES an access token to be sent as a bearer token in the UserInfo request.
OAuth2 resource server support is autoconfigured, however, a JwtDecoder @Bean is REQUIRED for the OpenID Connect 1.0 UserInfo endpoint.
|
The guide How-to: Customize the OpenID Connect 1.0 UserInfo response contains examples of customizing the UserInfo endpoint. |
OpenID Connect 1.0 Client Registration Endpoint
OidcClientRegistrationEndpointConfigurer
provides the ability to customize the OpenID Connect 1.0 Client Registration endpoint.
It defines extension points that let you customize the pre-processing, main processing, and post-processing logic for Client Registration requests or Client Read requests.
OidcClientRegistrationEndpointConfigurer
provides the following configuration options:
@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
OAuth2AuthorizationServerConfigurer.authorizationServer();
http
.securityMatcher(authorizationServerConfigurer.getEndpointsMatcher())
.with(authorizationServerConfigurer, (authorizationServer) ->
authorizationServer
.oidc(oidc ->
oidc
.clientRegistrationEndpoint(clientRegistrationEndpoint ->
clientRegistrationEndpoint
.clientRegistrationRequestConverter(clientRegistrationRequestConverter) (1)
.clientRegistrationRequestConverters(clientRegistrationRequestConvertersConsumers) (2)
.authenticationProvider(authenticationProvider) (3)
.authenticationProviders(authenticationProvidersConsumer) (4)
.clientRegistrationResponseHandler(clientRegistrationResponseHandler) (5)
.errorResponseHandler(errorResponseHandler) (6)
)
)
);
return http.build();
}
1 | clientRegistrationRequestConverter() : Adds an AuthenticationConverter (pre-processor) used when attempting to extract a Client Registration request or Client Read request from HttpServletRequest to an instance of OidcClientRegistrationAuthenticationToken . |
2 | clientRegistrationRequestConverters() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationConverter 's allowing the ability to add, remove, or customize a specific AuthenticationConverter . |
3 | authenticationProvider() : Adds an AuthenticationProvider (main processor) used for authenticating the OidcClientRegistrationAuthenticationToken . |
4 | authenticationProviders() : Sets the Consumer providing access to the List of default and (optionally) added AuthenticationProvider 's allowing the ability to add, remove, or customize a specific AuthenticationProvider . |
5 | clientRegistrationResponseHandler() : The AuthenticationSuccessHandler (post-processor) used for handling an “authenticated” OidcClientRegistrationAuthenticationToken and returning the Client Registration response or Client Read response. |
6 | errorResponseHandler() : The AuthenticationFailureHandler (post-processor) used for handling an OAuth2AuthenticationException and returning the Client Registration Error response or Client Read Error response. |
The OpenID Connect 1.0 Client Registration endpoint is disabled by default because many deployments do not require dynamic client registration. |
OidcClientRegistrationEndpointConfigurer
configures the OidcClientRegistrationEndpointFilter
and registers it with the OAuth2 authorization server SecurityFilterChain
@Bean
.
OidcClientRegistrationEndpointFilter
is the Filter
that processes Client Registration requests and returns the OidcClientRegistration response.
OidcClientRegistrationEndpointFilter also processes Client Read requests and returns the OidcClientRegistration response.
|
OidcClientRegistrationEndpointFilter
is configured with the following defaults:
-
AuthenticationConverter
— AnOidcClientRegistrationAuthenticationConverter
. -
AuthenticationManager
— AnAuthenticationManager
composed ofOidcClientRegistrationAuthenticationProvider
andOidcClientConfigurationAuthenticationProvider
. -
AuthenticationSuccessHandler
— An internal implementation that handles an “authenticated”OidcClientRegistrationAuthenticationToken
and returns theOidcClientRegistration
response. -
AuthenticationFailureHandler
— An internal implementation that uses theOAuth2Error
associated with theOAuth2AuthenticationException
and returns theOAuth2Error
response.
The OpenID Connect 1.0 Client Registration endpoint is an OAuth2 protected resource, which REQUIRES an access token to be sent as a bearer token in the Client Registration (or Client Read) request.
OAuth2 resource server support is autoconfigured, however, a JwtDecoder @Bean is REQUIRED for the OpenID Connect 1.0 Client Registration endpoint.
|
The access token in a Client Registration request REQUIRES the OAuth2 scope client.create .
|
The access token in a Client Read request REQUIRES the OAuth2 scope client.read .
|