This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.5.3!

Getting Started

If you are just getting started with Spring Security Authorization Server, the following sections walk you through creating your first application.

System Requirements

Spring Security Authorization Server requires a Java 17 or higher Runtime Environment.

Installing Spring Security Authorization Server

The easiest way to begin using Spring Security Authorization Server is by creating a Spring Boot-based application. You can use start.spring.io to generate a basic project or use the default authorization server sample as a guide. Then add Spring Boot’s starter for Spring Security Authorization Server as a dependency:

Maven
Gradle

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-authorization-server</artifactId>
</dependency>

implementation "org.springframework.boot:spring-boot-starter-oauth2-authorization-server"

See Installing Spring Boot for more information on using Spring Boot with Maven or Gradle.

Alternatively, you can add Spring Security Authorization Server without Spring Boot using the following example:

Maven
Gradle

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-authorization-server</artifactId>
    <version>7.0.0-SNAPSHOT</version>
</dependency>

implementation "org.springframework.security:spring-security-oauth2-authorization-server:7.0.0-SNAPSHOT"

Developing Your First Application

To get started, you need the minimum required components defined as a @Bean. When using the spring-boot-starter-oauth2-authorization-server dependency, define the following properties and Spring Boot will provide the necessary @Bean definitions for you:

application.yml

server:
  port: 9000

logging:
  level:
    org.springframework.security: trace

spring:
  security:
    user:
      name: user
      password: password
    oauth2:
      authorizationserver:
        client:
          oidc-client:
            registration:
              client-id: "oidc-client"
              client-secret: "{noop}secret"
              client-authentication-methods:
                - "client_secret_basic"
              authorization-grant-types:
                - "authorization_code"
                - "refresh_token"
              redirect-uris:
                - "http://127.0.0.1:8080/login/oauth2/code/oidc-client"
              post-logout-redirect-uris:
                - "http://127.0.0.1:8080/"
              scopes:
                - "openid"
                - "profile"
            require-authorization-consent: true

Beyond the Getting Started experience, most users will want to customize the default configuration. The next section demonstrates providing all of the necessary beans yourself.

Defining Required Components

If you want to customize the default configuration (regardless of whether you’re using Spring Boot), you can define the minimum required components as a @Bean in a Spring @Configuration.

These components can be defined as follows:

SecurityConfig.java

@Configuration
@EnableWebSecurity
public class SecurityConfig {

	@Bean (1)
	@Order(1)
	public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http)
			throws Exception {

		http
			.oauth2AuthorizationServer((authorizationServer) ->
				authorizationServer
					.oidc(Customizer.withDefaults())	// Enable OpenID Connect 1.0
			)
			.authorizeHttpRequests((authorize) ->
				authorize
					.anyRequest().authenticated()
			)
			// Redirect to the login page when not authenticated from the
			// authorization endpoint
			.exceptionHandling((exceptions) -> exceptions
				.defaultAuthenticationEntryPointFor(
					new LoginUrlAuthenticationEntryPoint("/login"),
					new MediaTypeRequestMatcher(MediaType.TEXT_HTML)
				)
			);

		return http.build();
	}

	@Bean (2)
	@Order(2)
	public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http)
			throws Exception {
		http
			.authorizeHttpRequests((authorize) -> authorize
				.anyRequest().authenticated()
			)
			// Form login handles the redirect to the login page from the
			// authorization server filter chain
			.formLogin(Customizer.withDefaults());

		return http.build();
	}

	@Bean (3)
	public UserDetailsService userDetailsService() {
		UserDetails userDetails = User.withDefaultPasswordEncoder()
				.username("user")
				.password("password")
				.roles("USER")
				.build();

		return new InMemoryUserDetailsManager(userDetails);
	}

	@Bean (4)
	public RegisteredClientRepository registeredClientRepository() {
		RegisteredClient oidcClient = RegisteredClient.withId(UUID.randomUUID().toString())
				.clientId("oidc-client")
				.clientSecret("{noop}secret")
				.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
				.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
				.authorizationGrantType(AuthorizationGrantType.REFRESH_TOKEN)
				.redirectUri("http://127.0.0.1:8080/login/oauth2/code/oidc-client")
				.postLogoutRedirectUri("http://127.0.0.1:8080/")
				.scope(OidcScopes.OPENID)
				.scope(OidcScopes.PROFILE)
				.clientSettings(ClientSettings.builder().requireAuthorizationConsent(true).build())
				.build();

		return new InMemoryRegisteredClientRepository(oidcClient);
	}

	@Bean (5)
	public JWKSource<SecurityContext> jwkSource() {
		KeyPair keyPair = generateRsaKey();
		RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
		RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
		RSAKey rsaKey = new RSAKey.Builder(publicKey)
				.privateKey(privateKey)
				.keyID(UUID.randomUUID().toString())
				.build();
		JWKSet jwkSet = new JWKSet(rsaKey);
		return new ImmutableJWKSet<>(jwkSet);
	}

	private static KeyPair generateRsaKey() { (6)
		KeyPair keyPair;
		try {
			KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
			keyPairGenerator.initialize(2048);
			keyPair = keyPairGenerator.generateKeyPair();
		}
		catch (Exception ex) {
			throw new IllegalStateException(ex);
		}
		return keyPair;
	}

	@Bean (7)
	public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
		return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
	}

	@Bean (8)
	public AuthorizationServerSettings authorizationServerSettings() {
		return AuthorizationServerSettings.builder().build();
	}

}

This is a minimal configuration for getting started quickly. To understand what each component is used for, see the following descriptions:

1	A Spring Security filter chain for the Protocol Endpoints.
2	A Spring Security filter chain for authentication.
3	An instance of `UserDetailsService` for retrieving users to authenticate.
4	An instance of `RegisteredClientRepository` for managing clients.
5	An instance of `com.nimbusds.jose.jwk.source.JWKSource` for signing access tokens.
6	An instance of `java.security.KeyPair` with keys generated on startup used to create the `JWKSource` above.
7	An instance of `JwtDecoder` for decoding signed access tokens.
8	An instance of `AuthorizationServerSettings` to configure Spring Security Authorization Server.