This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 7.0.4!spring-doc.cn

OAuth 2.1 Authorization Server

The OAuth 2.1 Authorization Server features provide support for the Authorization Server role as defined in the OAuth 2.1 Authorization Framework.spring-doc.cn

The Authorization Server features provide implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It provides a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth 2.1 Authorization Server products.spring-doc.cn

Use Cases

The following list provides some use cases for using Spring Security Authorization Server compared to using an open source or commercial OAuth2 or OpenID Connect 1.0 Provider product.spring-doc.cn

Provides full control of configuration and customization when advanced customization scenarios are required.spring-doc.cn
Preference for a light-weight authorization server compared to a commercial product that includes all the "bells and whistles".spring-doc.cn
Potential savings in software licensing and/or hosting costs.spring-doc.cn
Quick startup and ease of use during development using the familiar Spring programming model.spring-doc.cn

Feature List

Spring Security Authorization Server supports the following features:spring-doc.cn

Category Feature Related specifications

Category	Feature	Related specifications
Authorization Grant spring-doc.cn	Authorization Codespring-doc.cn User Consent spring-doc.cn Client Credentialsspring-doc.cn Refresh Tokenspring-doc.cn Device Codespring-doc.cn User Consent spring-doc.cn Token Exchangespring-doc.cn	The OAuth 2.1 Authorization Framework (draft)spring-doc.cn Authorization Code Grant spring-doc.cn Client Credentials Grant spring-doc.cn Refresh Token Grant spring-doc.cn OpenID Connect Core 1.0 (spec)spring-doc.cn Authorization Code Flow spring-doc.cn OAuth 2.0 Device Authorization Grant (spec)spring-doc.cn Device Flow spring-doc.cn OAuth 2.0 Token Exchange (spec)spring-doc.cn Token Exchange Flow spring-doc.cn
Token Formats spring-doc.cn	Self-contained (JWT)spring-doc.cn Reference (Opaque)spring-doc.cn	JSON Web Token (JWT) (RFC 7519)spring-doc.cn JSON Web Signature (JWS) (RFC 7515)spring-doc.cn
Token Typesspring-doc.cn	DPoP-bound Access Tokens spring-doc.cn	OAuth 2.0 Demonstrating Proof of Possession (DPoP) (RFC 9449)spring-doc.cn
Client Authentication spring-doc.cn	`client_secret_basic`spring-doc.cn `client_secret_post`spring-doc.cn `client_secret_jwt`spring-doc.cn `private_key_jwt`spring-doc.cn `tls_client_auth`spring-doc.cn `self_signed_tls_client_auth`spring-doc.cn `none` (public clients)spring-doc.cn	The OAuth 2.1 Authorization Framework (Client Authentication)spring-doc.cn JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication (RFC 7523)spring-doc.cn OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705)spring-doc.cn Proof Key for Code Exchange by OAuth Public Clients (PKCE) (RFC 7636)spring-doc.cn
Protocol Endpoints spring-doc.cn	OAuth2 Authorization Endpoint spring-doc.cn OAuth2 Pushed Authorization Request Endpoint spring-doc.cn OAuth2 Device Authorization Endpoint spring-doc.cn OAuth2 Device Verification Endpoint spring-doc.cn OAuth2 Token Endpoint spring-doc.cn OAuth2 Token Introspection Endpoint spring-doc.cn OAuth2 Token Revocation Endpoint spring-doc.cn OAuth2 Client Registration Endpoint spring-doc.cn OAuth2 Authorization Server Metadata Endpoint spring-doc.cn JWK Set Endpoint spring-doc.cn OpenID Connect 1.0 Provider Configuration Endpoint spring-doc.cn OpenID Connect 1.0 Logout Endpoint spring-doc.cn OpenID Connect 1.0 UserInfo Endpoint spring-doc.cn OpenID Connect 1.0 Client Registration Endpoint spring-doc.cn	The OAuth 2.1 Authorization Framework (draft)spring-doc.cn Authorization Endpoint spring-doc.cn Token Endpoint spring-doc.cn OAuth 2.0 Pushed Authorization Requests (RFC 9126)spring-doc.cn Pushed Authorization Request Endpoint spring-doc.cn OAuth 2.0 Device Authorization Grant (RFC 8628)spring-doc.cn Device Authorization Endpoint spring-doc.cn Device Verification Endpoint spring-doc.cn OAuth 2.0 Token Introspection (RFC 7662)spring-doc.cn OAuth 2.0 Token Revocation (RFC 7009)spring-doc.cn OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)spring-doc.cn OAuth 2.0 Authorization Server Metadata (RFC 8414)spring-doc.cn JSON Web Key (JWK) (RFC 7517)spring-doc.cn OpenID Connect Discovery 1.0 (spec)spring-doc.cn Provider Configuration Endpoint spring-doc.cn OpenID Connect RP-Initiated Logout 1.0 (spec)spring-doc.cn Logout Endpoint spring-doc.cn OpenID Connect Core 1.0 (spec)spring-doc.cn UserInfo Endpoint spring-doc.cn OpenID Connect Dynamic Client Registration 1.0 (spec)spring-doc.cn Client Registration Endpoint spring-doc.cn Client Configuration Endpoint spring-doc.cn

Authorization Grant spring-doc.cn

Authorization Codespring-doc.cn
- User Consent spring-doc.cn
Client Credentialsspring-doc.cn
Refresh Tokenspring-doc.cn
Device Codespring-doc.cn
- User Consent spring-doc.cn
Token Exchangespring-doc.cn

The OAuth 2.1 Authorization Framework (draft)spring-doc.cn
OpenID Connect Core 1.0 (spec)spring-doc.cn
- Authorization Code Flow spring-doc.cn
OAuth 2.0 Device Authorization Grant (spec)spring-doc.cn
- Device Flow spring-doc.cn
OAuth 2.0 Token Exchange (spec)spring-doc.cn
- Token Exchange Flow spring-doc.cn

Token Formats spring-doc.cn

Self-contained (JWT)spring-doc.cn
Reference (Opaque)spring-doc.cn

JSON Web Token (JWT) (RFC 7519)spring-doc.cn
JSON Web Signature (JWS) (RFC 7515)spring-doc.cn

Token Typesspring-doc.cn

DPoP-bound Access Tokens spring-doc.cn

OAuth 2.0 Demonstrating Proof of Possession (DPoP) (RFC 9449)spring-doc.cn

Client Authentication spring-doc.cn

client_secret_basicspring-doc.cn
client_secret_postspring-doc.cn
client_secret_jwtspring-doc.cn
private_key_jwtspring-doc.cn
tls_client_authspring-doc.cn
self_signed_tls_client_authspring-doc.cn
none (public clients)spring-doc.cn

The OAuth 2.1 Authorization Framework (Client Authentication)spring-doc.cn
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication (RFC 7523)spring-doc.cn
OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705)spring-doc.cn
Proof Key for Code Exchange by OAuth Public Clients (PKCE) (RFC 7636)spring-doc.cn

Protocol Endpoints spring-doc.cn

The OAuth 2.1 Authorization Framework (draft)spring-doc.cn
- Authorization Endpoint spring-doc.cn
- Token Endpoint spring-doc.cn
OAuth 2.0 Pushed Authorization Requests (RFC 9126)spring-doc.cn
- Pushed Authorization Request Endpoint spring-doc.cn
OAuth 2.0 Device Authorization Grant (RFC 8628)spring-doc.cn
- Device Authorization Endpoint spring-doc.cn
- Device Verification Endpoint spring-doc.cn
OAuth 2.0 Token Introspection (RFC 7662)spring-doc.cn
OAuth 2.0 Token Revocation (RFC 7009)spring-doc.cn
OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)spring-doc.cn
OAuth 2.0 Authorization Server Metadata (RFC 8414)spring-doc.cn
JSON Web Key (JWK) (RFC 7517)spring-doc.cn
OpenID Connect Discovery 1.0 (spec)spring-doc.cn
- Provider Configuration Endpoint spring-doc.cn
OpenID Connect RP-Initiated Logout 1.0 (spec)spring-doc.cn
- Logout Endpoint spring-doc.cn
OpenID Connect Core 1.0 (spec)spring-doc.cn
- UserInfo Endpoint spring-doc.cn
OpenID Connect Dynamic Client Registration 1.0 (spec)spring-doc.cn
- Client Registration Endpoint spring-doc.cn
- Client Configuration Endpoint spring-doc.cn

OAuth 2.1 Authorization Server

Use Cases

Feature List

Section Summary