Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2026-02-08 22:44:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Document ClientSettings

Browse Source 
Added documentation to describe the possible client configuration options when setting up an Oauth2 Authorization Server.

Closes gh-18614

Signed-off-by: Elayne Bloom <5840349+bloomsei@users.noreply.github.com>
This commit is contained in:
Elayne Bloom 2026-01-28 17:01:45 +01:00 committed by Joe Grandja
parent 001d9df5ca
commit a2d407518c
1 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
docs/modules/ROOT/pages/servlet/oauth2/authorization-server/core-model-components.adoc
View File

@ -92,6 +92,41 @@ public class RegisteredClient implements Serializable {
<12> `clientSettings`: The custom settings for the client for example, require https://datatracker.ietf.org/doc/html/rfc7636[PKCE], require authorization consent, and others.
<13> `tokenSettings`: The custom settings for the OAuth2 tokens issued to the client for example, access/refresh token time-to-live, reuse refresh tokens, and others.
[[oauth2AuthorizationServer-client-settings]]
== ClientSettings
`ClientSettings` contains configuration for the `RegisteredClient`. The following example shows the available settings:
[source,java]
----
public final class ClientSettings extends AbstractSettings {
...
public static Builder builder() {
return new Builder()
.requireProofKey(true) <1>
.requireAuthorizationConsent(false) <2>
.jwkSetUrl("https://client.example.com/jwks") <3>
.tokenEndpointAuthenticationSigningAlgorithm(MacAlgorithm.HS256) <4>
.x509CertificateSubjectDN("CN=demo-client-sample, OU=Spring Samples, O=Spring, C=US"); <5>
}
...
}
----
<1> `requireProofKey`: If `true`, the client is required to provide a proof key challenge and verifier when performing the Authorization Code Grant flow (PKCE). The default is `true`.
<2> `requireAuthorizationConsent`: If `true`, authorization consent is required when the client requests access. The default is `false`.
<3> `jwkSetUrl`: Sets the the URL for the client's JSON Web Key Set. Used for `client_secret_jwt` and `private_key_jwt` client authentication methods, as well as for Self-Signed Certificate Mutual-TLS.
<4> `tokenEndpointAuthenticationSigningAlgorithm`: The `JwsAlgorithm` that must be used for signing the JWT used to authenticate the client at the Token Endpoint for `private_key_jwt` and `client_secret_jwt` authentication methods.
<5> `x509CertificateSubjectDN`: The expected subject distinguished name in the client X509Certificate received during client authentication when using the `tls_client_auth` method.
[NOTE]
====
https://datatracker.ietf.org/doc/html/rfc7636[Proof Key for Code Exchange (PKCE)] is enabled by default for all clients using the Authorization Code grant. To disable PKCE, set `requireProofKey` to `false`
====
[[oauth2AuthorizationServer-registered-client-repository]]
== RegisteredClientRepository