This PR introduces support for Spring Authorization Server. It includes:

  • New module spring-boot-starter-oauth2-authorization-server
  • Dependency management of org.springframework.security:spring-security-oauth2-authorization-server
  • Support in spring-boot-autoconfigure for org.springframework.security:spring-security-oauth2-authorization-server

Overview

The auto-configuration is designed to closely match the Getting Started guide in the reference manual. When spring-security-oauth2-authorization-server is detected on the classpath, the following components are optionally registered:

  • RegisteredClientRepository
  • AuthorizationServerSettings
  • SecurityFilterChain for protocol endpoints
  • SecurityFilterChain for user authentication with Form Login
  • com.nimbusds.jose.jwk.source.JWKSource<SecurityContext> with a generated RSA key-pair
  • JwtDecoder that uses the provided JWKSource

Because Spring Authorization Server is built on top of Spring Security, the order in which components are registered in collaboration with existing auto-configuration is important.

The main consideration is that UserDetailsServiceAutoConfiguration continue to be allowed to publish a UserDetailsService if necessary. However, a JwtDecoder must also be published afterwards. This is in-contrast with OAuth2ResourceServerAutoConfiguration which prevents a UserDetailsService from being published.

Configuration

The OAuth2AuthorizationServerProperties allow configuring RegisteredClients and AuthorizationServerSettings. Here is a typical client configuration with default settings:

spring:
  security:
    oauth2:
      authorizationserver:
        client:
          messaging-client:
            registration:
              client-id: messaging-client
              client-secret: "{noop}secret"
              client-authentication-methods:
                - client_secret_basic
              authorization-grant-types:
                - authorization_code
                - refresh_token
                - client_credentials
              redirect-uris:
                - http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc
                - http://127.0.0.1:8080/authorized
              scopes:
                - openid
                - profile
                - message.read
                - message.write
            require-authorization-consent: true

Here is a full configuration example:

spring:
  security:
    oauth2:
      authorizationserver:
        issuer: https://provider.com
        endpoint:
          authorization-uri: /oauth2/authorize
          token-uri: /oauth2/token
          jwk-set-uri: /oauth2/jwks
          token-revocation-uri: /oauth2/revoke
          token-introspection-uri: /oauth2/introspect
          oidc:
            logout-uri: /connect/logout
            client-registration-uri: /connect/register
            user-info-uri: /userinfo
        client:
          messaging-client:
            registration:
              client-id: messaging-client
              client-secret: "{noop}secret"
              client-name: Messaging Client
              client-authentication-methods:
                - client_secret_basic
              authorization-grant-types:
                - authorization_code
                - refresh_token
                - client_credentials
                - urn:ietf:params:oauth:grant-type:device_code
              redirect-uris:
                - http://127.0.0.1:8080/login/oauth2/code/messaging-client-oidc
                - http://127.0.0.1:8080/authorized
              post-logout-redirect-uris:
                - http://127.0.0.1:8080/logout
              scopes:
                - openid
                - profile
                - message.read
                - message.write
            require-proof-key: true
            require-authorization-consent: true
            jwk-set-uri: http://127.0.0.1:8080/jwks
            token-endpoint-authentication-signing-algorithm: RS256
            token:
              authorization-code-time-to-live: 5m
              access-token-time-to-live: 5m
              access-token-format: self-contained
              reuse-refresh-tokens: false
              refresh-token-time-to-live: 60m

Comment From: mhalbritter

Hi! It seems that the two auto-configuration classes OAuth2AuthorizationServerAutoConfiguration and OAuth2AuthorizationServerJwtAutoConfiguration are not configured in the org.springframework.boot.autoconfigure.AutoConfiguration.imports file and won't be loaded.

Is it possible to add a smoke test for the OAuth2 Authorization Server to catch such bugs and verify that it works correctly in a Boot application?

Comment From: sjohnr

@mhalbritter I've added the imports and a few basic smoke tests.

Comment From: mhalbritter

Thank you!

Comment From: sjohnr

Hi @mhalbritter! Just checking to see if there is any additional feedback on this PR? I'm especially interested in feedback related to the config properties. If there's any changes needed, I will sync up with @jgrandja and make any needed updates ready for review.

Comment From: mhalbritter

Hey, i'll bring it up on the next team meeting.

Comment From: mbhave

Thanks for the PR @sjohnr. It's been merged into main along with this polish commit.