spring-security/docs/modules/ROOT/pages/servlet/oauth2/authorization-server/index.adoc

[[oauth2AuthorizationServer]]
= OAuth 2.1 Authorization Server
:page-section-summary-toc: 1

The OAuth 2.1 Authorization Server features provide support for the Authorization Server role as defined in the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-1.1[OAuth 2.1 Authorization Framework].

The Authorization Server features provide implementations of the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[OAuth 2.1] and https://openid.net/specs/openid-connect-core-1_0.html[OpenID Connect 1.0] specifications and other related specifications.
It provides a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth 2.1 Authorization Server products.

[[oauth2AuthorizationServer-use-cases]]
== Use Cases

The following list provides some use cases for using Spring Security Authorization Server compared to using an open source or commercial OAuth2 or OpenID Connect 1.0 Provider product.

* Provides full control of configuration and customization when advanced customization scenarios are required.
* Preference for a light-weight authorization server compared to a commercial product that includes all the "bells and whistles".
* Potential savings in software licensing and/or hosting costs.
* Quick startup and ease of use during development using the familiar Spring programming model.

[[oauth2AuthorizationServer-feature-list]]
== Feature List

Spring Security Authorization Server supports the following features:

[cols="2a,4a,6a"]
|===
|Category |Feature |Related specifications

|xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-endpoint[Authorization Grant]
|
* Authorization Code
** xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-authorization-endpoint[User Consent]
* Client Credentials
* Refresh Token
* Device Code
** xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-verification-endpoint[User Consent]
* Token Exchange
|
* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[draft])
** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.1[Authorization Code Grant]
** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.2[Client Credentials Grant]
** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.3[Refresh Token Grant]
* OpenID Connect Core 1.0 (https://openid.net/specs/openid-connect-core-1_0.html[spec])
** https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow]
* OAuth 2.0 Device Authorization Grant
(https://tools.ietf.org/html/rfc8628[spec])
** https://tools.ietf.org/html/rfc8628#section-3[Device Flow]
* OAuth 2.0 Token Exchange (https://datatracker.ietf.org/doc/html/rfc8693[spec])
** https://datatracker.ietf.org/doc/html/rfc8693#section-2[Token Exchange Flow]

|xref:servlet/oauth2/authorization-server/core-model-components.adoc#oauth2AuthorizationServer-oauth2-token-generator[Token Formats]
|
* Self-contained (JWT)
* Reference (Opaque)
|
* JSON Web Token (JWT) (https://tools.ietf.org/html/rfc7519[RFC 7519])
* JSON Web Signature (JWS) (https://tools.ietf.org/html/rfc7515[RFC 7515])

|Token Types
|
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-endpoint-dpop-bound-access-tokens[DPoP-bound Access Tokens]
|
* OAuth 2.0 Demonstrating Proof of Possession (DPoP) (https://datatracker.ietf.org/doc/html/rfc9449[RFC 9449])

|xref:servlet/oauth2/authorization-server/configuration-model.adoc#oauth2AuthorizationServer-configuring-client-authentication[Client Authentication]
|
* `client_secret_basic`
* `client_secret_post`
* `client_secret_jwt`
* `private_key_jwt`
* `tls_client_auth`
* `self_signed_tls_client_auth`
* `none` (public clients)
|
* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-2.4[Client Authentication])
* JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication (https://tools.ietf.org/html/rfc7523[RFC 7523])
* OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (https://datatracker.ietf.org/doc/html/rfc8705[RFC 8705])
* Proof Key for Code Exchange by OAuth Public Clients (PKCE) (https://tools.ietf.org/html/rfc7636[RFC 7636])

|xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc[Protocol Endpoints]
|
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-authorization-endpoint[OAuth2 Authorization Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-pushed-authorization-request-endpoint[OAuth2 Pushed Authorization Request Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-authorization-endpoint[OAuth2 Device Authorization Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-verification-endpoint[OAuth2 Device Verification Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-endpoint[OAuth2 Token Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-introspection-endpoint[OAuth2 Token Introspection Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-revocation-endpoint[OAuth2 Token Revocation Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-authorization-server-metadata-endpoint[OAuth2 Authorization Server Metadata Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-jwk-set-endpoint[JWK Set Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-provider-configuration-endpoint[OpenID Connect 1.0 Provider Configuration Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-logout-endpoint[OpenID Connect 1.0 Logout Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-user-info-endpoint[OpenID Connect 1.0 UserInfo Endpoint]
* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration Endpoint]
|
* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[draft])
** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-3.1[Authorization Endpoint]
** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-3.2[Token Endpoint]
* OAuth 2.0 Pushed Authorization Requests (https://datatracker.ietf.org/doc/html/rfc9126[RFC 9126])
** https://datatracker.ietf.org/doc/html/rfc9126#section-2[Pushed Authorization Request Endpoint]
* OAuth 2.0 Device Authorization Grant (https://tools.ietf.org/html/rfc8628[RFC 8628])
** https://tools.ietf.org/html/rfc8628#section-3.1[Device Authorization Endpoint]
** https://tools.ietf.org/html/rfc8628#section-3.3[Device Verification Endpoint]
* OAuth 2.0 Token Introspection (https://tools.ietf.org/html/rfc7662[RFC 7662])
* OAuth 2.0 Token Revocation (https://tools.ietf.org/html/rfc7009[RFC 7009])
* OAuth 2.0 Authorization Server Metadata (https://tools.ietf.org/html/rfc8414[RFC 8414])
* JSON Web Key (JWK) (https://tools.ietf.org/html/rfc7517[RFC 7517])
* OpenID Connect Discovery 1.0 (https://openid.net/specs/openid-connect-discovery-1_0.html[spec])
** https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[Provider Configuration Endpoint]
* OpenID Connect RP-Initiated Logout 1.0 (https://openid.net/specs/openid-connect-rpinitiated-1_0.html[spec])
** https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout[Logout Endpoint]
* OpenID Connect Core 1.0 (https://openid.net/specs/openid-connect-core-1_0.html[spec])
** https://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint]
* OpenID Connect Dynamic Client Registration 1.0 (https://openid.net/specs/openid-connect-registration-1_0.html[spec])
** https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration[Client Registration Endpoint]
** https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint[Client Configuration Endpoint]
|===
Integrate Spring Authorization Server ref docs Issue gh-17880 2025-09-06 13:59:34 -04:00			`[[oauth2AuthorizationServer]]`
			`= OAuth 2.1 Authorization Server`
			`:page-section-summary-toc: 1`
Manual move of spring-projects/spring-authorization-server docs Issue gh-17880 2025-09-06 12:09:05 -04:00
Integrate Spring Authorization Server ref docs Issue gh-17880 2025-09-06 13:59:34 -04:00			`The OAuth 2.1 Authorization Server features provide support for the Authorization Server role as defined in the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-1.1[OAuth 2.1 Authorization Framework].`
Manual move of spring-projects/spring-authorization-server docs Issue gh-17880 2025-09-06 12:09:05 -04:00
Integrate Spring Authorization Server ref docs Issue gh-17880 2025-09-06 13:59:34 -04:00			`The Authorization Server features provide implementations of the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[OAuth 2.1] and https://openid.net/specs/openid-connect-core-1_0.html[OpenID Connect 1.0] specifications and other related specifications.`
			`It provides a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth 2.1 Authorization Server products.`
Manual move of spring-projects/spring-authorization-server docs Issue gh-17880 2025-09-06 12:09:05 -04:00
Integrate Spring Authorization Server ref docs Issue gh-17880 2025-09-06 13:59:34 -04:00			`[[oauth2AuthorizationServer-use-cases]]`
			`== Use Cases`
Manual move of spring-projects/spring-authorization-server docs Issue gh-17880 2025-09-06 12:09:05 -04:00
Integrate Spring Authorization Server ref docs Issue gh-17880 2025-09-06 13:59:34 -04:00			`The following list provides some use cases for using Spring Security Authorization Server compared to using an open source or commercial OAuth2 or OpenID Connect 1.0 Provider product.`

			`* Provides full control of configuration and customization when advanced customization scenarios are required.`
			`* Preference for a light-weight authorization server compared to a commercial product that includes all the "bells and whistles".`
			`* Potential savings in software licensing and/or hosting costs.`
			`* Quick startup and ease of use during development using the familiar Spring programming model.`

			`[[oauth2AuthorizationServer-feature-list]]`
			`== Feature List`

			`Spring Security Authorization Server supports the following features:`

			`[cols="2a,4a,6a"]`
			`\|===`
			`\|Category \|Feature \|Related specifications`

			`\|xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-endpoint[Authorization Grant]`
			`\|`
			`* Authorization Code`
			`** xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-authorization-endpoint[User Consent]`
			`* Client Credentials`
			`* Refresh Token`
			`* Device Code`
			`** xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-verification-endpoint[User Consent]`
			`* Token Exchange`
			`\|`
			`* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[draft])`
			`** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.1[Authorization Code Grant]`
			`** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.2[Client Credentials Grant]`
			`** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.3[Refresh Token Grant]`
			`* OpenID Connect Core 1.0 (https://openid.net/specs/openid-connect-core-1_0.html[spec])`
			`** https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow]`
			`* OAuth 2.0 Device Authorization Grant`
			`(https://tools.ietf.org/html/rfc8628[spec])`
			`** https://tools.ietf.org/html/rfc8628#section-3[Device Flow]`
			`* OAuth 2.0 Token Exchange (https://datatracker.ietf.org/doc/html/rfc8693[spec])`
			`** https://datatracker.ietf.org/doc/html/rfc8693#section-2[Token Exchange Flow]`

			`\|xref:servlet/oauth2/authorization-server/core-model-components.adoc#oauth2AuthorizationServer-oauth2-token-generator[Token Formats]`
			`\|`
			`* Self-contained (JWT)`
			`* Reference (Opaque)`
			`\|`
			`* JSON Web Token (JWT) (https://tools.ietf.org/html/rfc7519[RFC 7519])`
			`* JSON Web Signature (JWS) (https://tools.ietf.org/html/rfc7515[RFC 7515])`

			`\|Token Types`
			`\|`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-endpoint-dpop-bound-access-tokens[DPoP-bound Access Tokens]`
			`\|`
			`* OAuth 2.0 Demonstrating Proof of Possession (DPoP) (https://datatracker.ietf.org/doc/html/rfc9449[RFC 9449])`

			`\|xref:servlet/oauth2/authorization-server/configuration-model.adoc#oauth2AuthorizationServer-configuring-client-authentication[Client Authentication]`
			`\|`
			* `client_secret_basic`
			* `client_secret_post`
			* `client_secret_jwt`
			* `private_key_jwt`
			* `tls_client_auth`
			* `self_signed_tls_client_auth`
			* `none` (public clients)
			`\|`
			`* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-2.4[Client Authentication])`
			`* JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication (https://tools.ietf.org/html/rfc7523[RFC 7523])`
			`* OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (https://datatracker.ietf.org/doc/html/rfc8705[RFC 8705])`
			`* Proof Key for Code Exchange by OAuth Public Clients (PKCE) (https://tools.ietf.org/html/rfc7636[RFC 7636])`

			`\|xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc[Protocol Endpoints]`
			`\|`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-authorization-endpoint[OAuth2 Authorization Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-pushed-authorization-request-endpoint[OAuth2 Pushed Authorization Request Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-authorization-endpoint[OAuth2 Device Authorization Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-verification-endpoint[OAuth2 Device Verification Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-endpoint[OAuth2 Token Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-introspection-endpoint[OAuth2 Token Introspection Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-revocation-endpoint[OAuth2 Token Revocation Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-authorization-server-metadata-endpoint[OAuth2 Authorization Server Metadata Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-jwk-set-endpoint[JWK Set Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-provider-configuration-endpoint[OpenID Connect 1.0 Provider Configuration Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-logout-endpoint[OpenID Connect 1.0 Logout Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-user-info-endpoint[OpenID Connect 1.0 UserInfo Endpoint]`
			`* xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration Endpoint]`
			`\|`
			`* The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[draft])`
			`** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-3.1[Authorization Endpoint]`
			`** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-3.2[Token Endpoint]`
			`* OAuth 2.0 Pushed Authorization Requests (https://datatracker.ietf.org/doc/html/rfc9126[RFC 9126])`
			`** https://datatracker.ietf.org/doc/html/rfc9126#section-2[Pushed Authorization Request Endpoint]`
			`* OAuth 2.0 Device Authorization Grant (https://tools.ietf.org/html/rfc8628[RFC 8628])`
			`** https://tools.ietf.org/html/rfc8628#section-3.1[Device Authorization Endpoint]`
			`** https://tools.ietf.org/html/rfc8628#section-3.3[Device Verification Endpoint]`
			`* OAuth 2.0 Token Introspection (https://tools.ietf.org/html/rfc7662[RFC 7662])`
			`* OAuth 2.0 Token Revocation (https://tools.ietf.org/html/rfc7009[RFC 7009])`
			`* OAuth 2.0 Authorization Server Metadata (https://tools.ietf.org/html/rfc8414[RFC 8414])`
			`* JSON Web Key (JWK) (https://tools.ietf.org/html/rfc7517[RFC 7517])`
			`* OpenID Connect Discovery 1.0 (https://openid.net/specs/openid-connect-discovery-1_0.html[spec])`
			`** https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[Provider Configuration Endpoint]`
			`* OpenID Connect RP-Initiated Logout 1.0 (https://openid.net/specs/openid-connect-rpinitiated-1_0.html[spec])`
			`** https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout[Logout Endpoint]`
			`* OpenID Connect Core 1.0 (https://openid.net/specs/openid-connect-core-1_0.html[spec])`
			`** https://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint]`
			`* OpenID Connect Dynamic Client Registration 1.0 (https://openid.net/specs/openid-connect-registration-1_0.html[spec])`
			`** https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration[Client Registration Endpoint]`
			`** https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint[Client Configuration Endpoint]`
			`\|===`