You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/src/docs/asciidoc/configuration-model.adoc
+7-8
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,5 @@
1
1
[[configuration-model]]
2
2
= Configuration Model
3
-
:toc: left
4
-
:toclevels: 1
5
3
6
4
[[default-configuration]]
7
5
== Default configuration
@@ -28,7 +26,7 @@ The OAuth2 authorization server `SecurityFilterChain` `@Bean` is configured with
28
26
The JWK Set endpoint is configured *only* if a `JWKSource<SecurityContext>` `@Bean` is registered.
29
27
30
28
[NOTE]
31
-
The xref:protocol-endpoints.adoc#oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration endpoint] is disabled by default.
29
+
The xref:protocol-endpoints.adoc#oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration endpoint] is disabled by default because many deployments do not require dynamic client registration.
32
30
33
31
The following example shows how to use `OAuth2AuthorizationServerConfiguration` to apply the minimal default configuration:
34
32
@@ -108,11 +106,11 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
108
106
return http.build();
109
107
}
110
108
----
111
-
<1> `registeredClientRepository()`: The xref:core-model-components.adoc#registered-client-repository[`RegisteredClientRepository`] to use.
112
-
<2> `authorizationService()`: The xref:core-model-components.adoc#oauth2-authorization-service[`OAuth2AuthorizationService`] to use.
113
-
<3> `authorizationConsentService()`: The xref:core-model-components.adoc#oauth2-authorization-consent-service[`OAuth2AuthorizationConsentService`] to use.
114
-
<4> `providerSettings()`: The <<configuring-provider-settings, `ProviderSettings`>> to use.
115
-
<5> `tokenGenerator()`: The xref:core-model-components.adoc#oauth2-token-generator[`OAuth2TokenGenerator`] to use.
109
+
<1> `registeredClientRepository()`: The xref:core-model-components.adoc#registered-client-repository[`RegisteredClientRepository`] (*REQUIRED*) for managing new and existing clients.
110
+
<2> `authorizationService()`: The xref:core-model-components.adoc#oauth2-authorization-service[`OAuth2AuthorizationService`] for managing new and existing authorizations.
111
+
<3> `authorizationConsentService()`: The xref:core-model-components.adoc#oauth2-authorization-consent-service[`OAuth2AuthorizationConsentService`] for managing new and existing authorization consents.
112
+
<4> `providerSettings()`: The <<configuring-provider-settings, `ProviderSettings`>> (*REQUIRED*) for customizing configuration settings for the OAuth2 authorization server.
113
+
<5> `tokenGenerator()`: The xref:core-model-components.adoc#oauth2-token-generator[`OAuth2TokenGenerator`] for generating tokens supported by the OAuth2 authorization server.
116
114
<6> `clientAuthentication()`: The configurer for <<configuring-client-authentication, OAuth2 Client Authentication>>.
117
115
<7> `authorizationEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oauth2-authorization-endpoint[OAuth2 Authorization endpoint].
118
116
<8> `tokenEndpoint()`: The configurer for the xref:protocol-endpoints.adoc#oauth2-token-endpoint[OAuth2 Token endpoint].
@@ -181,6 +179,7 @@ It provides access to the `ProviderSettings` and the "`current`" issuer identifi
181
179
[NOTE]
182
180
If the issuer identifier is not configured in `ProviderSettings.builder().issuer(String)`, it is resolved from the current request.
183
181
182
+
[NOTE]
184
183
The `ProviderContext` is accessible through the `ProviderContextHolder`, which associates it with the current request thread by using a `ThreadLocal`.
@@ -136,6 +133,9 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
136
133
}
137
134
----
138
135
136
+
[NOTE]
137
+
The `OAuth2AuthorizationServerConfigurer` is useful when applying multiple configuration options simultaneously.
138
+
139
139
[[oauth2-authorization]]
140
140
== OAuth2Authorization
141
141
@@ -144,13 +144,13 @@ An `OAuth2Authorization` is a representation of an OAuth2 authorization, which h
144
144
[TIP]
145
145
The corresponding authorization model in Spring Security's OAuth2 Client support is {spring-security-reference-base-url}/servlet/oauth2/client/core.html#oauth2Client-authorized-client[OAuth2AuthorizedClient].
146
146
147
-
After the successful completion of an authorization grant flow, an `OAuth2Authorization` is created and associates an `OAuth2AccessToken`, an (optional) `OAuth2RefreshToken`, and additional state specific to the executed authorization grant type.
147
+
After the successful completion of an authorization grant flow, an `OAuth2Authorization` is created and associates an {spring-security-api-base-url}/org/springframework/security/oauth2/core/OAuth2AccessToken.html[`OAuth2AccessToken`], an (optional) {spring-security-api-base-url}/org/springframework/security/oauth2/core/OAuth2RefreshToken.html[`OAuth2RefreshToken`], and additional state specific to the executed authorization grant type.
148
148
149
-
The `OAuth2Token` instances associated with an `OAuth2Authorization` vary, depending on the authorization grant type.
149
+
The {spring-security-api-base-url}/org/springframework/security/oauth2/core/OAuth2Token.html[`OAuth2Token`] instances associated with an `OAuth2Authorization` vary, depending on the authorization grant type.
150
150
151
151
For the OAuth2 https://datatracker.ietf.org/doc/html/rfc6749#section-4.1[authorization_code grant], an `OAuth2AuthorizationCode`, an `OAuth2AccessToken`, and an (optional) `OAuth2RefreshToken` are associated.
152
152
153
-
For the OpenID Connect 1.0 https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[authorization_code grant], an `OAuth2AuthorizationCode`, an `OidcIdToken`, an `OAuth2AccessToken`, and an (optional) `OAuth2RefreshToken` are associated.
153
+
For the OpenID Connect 1.0 https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[authorization_code grant], an `OAuth2AuthorizationCode`, an {spring-security-api-base-url}/org/springframework/security/oauth2/core/oidc/OidcIdToken.html[`OidcIdToken`], an `OAuth2AccessToken`, and an (optional) `OAuth2RefreshToken` are associated.
154
154
155
155
For the OAuth2 https://datatracker.ietf.org/doc/html/rfc6749#section-4.4[client_credentials grant], only an `OAuth2AccessToken` is associated.
156
156
@@ -226,6 +226,9 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
226
226
}
227
227
----
228
228
229
+
[NOTE]
230
+
The `OAuth2AuthorizationServerConfigurer` is useful when applying multiple configuration options simultaneously.
231
+
229
232
[[oauth2-authorization-consent]]
230
233
== OAuth2AuthorizationConsent
231
234
@@ -295,6 +298,9 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
295
298
}
296
299
----
297
300
301
+
[NOTE]
302
+
The `OAuth2AuthorizationServerConfigurer` is useful when applying multiple configuration options simultaneously.
303
+
298
304
[[oauth2-token-context]]
299
305
== OAuth2TokenContext
300
306
@@ -333,7 +339,7 @@ public interface OAuth2TokenContext extends Context {
333
339
<4> `getAuthorization()`: The <<oauth2-authorization, OAuth2Authorization>> associated with the authorization grant.
334
340
<5> `getAuthorizedScopes()`: The scope(s) authorized for the client.
335
341
<6> `getTokenType()`: The `OAuth2TokenType` to generate. The supported values are `code`, `access_token`, `refresh_token`, and `id_token`.
336
-
<7> `getAuthorizationGrantType()`: The `AuthorizationGrantType`.
342
+
<7> `getAuthorizationGrantType()`: The `AuthorizationGrantType` associated with the authorization grant.
337
343
<8> `getAuthorizationGrant()`: The `Authentication` instance used by the `AuthenticationProvider` that processes the authorization grant.
338
344
339
345
[[oauth2-token-generator]]
@@ -363,7 +369,9 @@ The `OAuth2AccessTokenGenerator` generates an "opaque" (`OAuth2TokenFormat.REFER
363
369
364
370
[NOTE]
365
371
The `OAuth2TokenGenerator` is an *OPTIONAL* component and defaults to a `DelegatingOAuth2TokenGenerator` composed of an `OAuth2AccessTokenGenerator` and `OAuth2RefreshTokenGenerator`.
366
-
As well, if a `JwtEncoder` `@Bean` or `JWKSource<SecurityContext>` `@Bean` is registered, then a `JwtGenerator` is additionally composed in the `DelegatingOAuth2TokenGenerator`.
372
+
373
+
[NOTE]
374
+
If a `JwtEncoder` `@Bean` or `JWKSource<SecurityContext>` `@Bean` is registered, then a `JwtGenerator` is additionally composed in the `DelegatingOAuth2TokenGenerator`.
367
375
368
376
The `OAuth2TokenGenerator` provides great flexibility, as it can support any custom token format for `access_token` and `refresh_token`.
369
377
@@ -401,6 +409,9 @@ public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity h
401
409
}
402
410
----
403
411
412
+
[NOTE]
413
+
The `OAuth2AuthorizationServerConfigurer` is useful when applying multiple configuration options simultaneously.
414
+
404
415
[[oauth2-token-customizer]]
405
416
== OAuth2TokenCustomizer
406
417
@@ -435,7 +446,7 @@ public OAuth2TokenCustomizer<OAuth2TokenClaimsContext> accessTokenCustomizer() {
435
446
}
436
447
----
437
448
438
-
[TIP]
449
+
[NOTE]
439
450
If the `OAuth2TokenGenerator` is not provided as a `@Bean` or is not configured through the `OAuth2AuthorizationServerConfigurer`, an `OAuth2TokenCustomizer<OAuth2TokenClaimsContext>` `@Bean` will automatically be configured with an `OAuth2AccessTokenGenerator`.
440
451
441
452
An `OAuth2TokenCustomizer<JwtEncodingContext>` declared with a generic type of `JwtEncodingContext` (`implements OAuth2TokenContext`) provides the ability to customize the headers and claims of a `Jwt`.
@@ -473,5 +484,8 @@ public OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
473
484
}
474
485
----
475
486
476
-
[TIP]
487
+
[NOTE]
477
488
If the `OAuth2TokenGenerator` is not provided as a `@Bean` or is not configured through the `OAuth2AuthorizationServerConfigurer`, an `OAuth2TokenCustomizer<JwtEncodingContext>` `@Bean` will automatically be configured with a `JwtGenerator`.
489
+
490
+
[TIP]
491
+
For an example showing how you can xref:guides/how-to-userinfo.adoc#customize-id-token[customize the ID token], see the guide xref:guides/how-to-userinfo.adoc#how-to-userinfo[How-to: Customize the OpenID Connect 1.0 UserInfo response].
Copy file name to clipboardExpand all lines: docs/src/docs/asciidoc/getting-started.adoc
+1-1
Original file line number
Diff line number
Diff line change
@@ -51,7 +51,7 @@ This is a minimal configuration for getting started quickly. To understand what
51
51
52
52
<1> A Spring Security filter chain for the xref:protocol-endpoints.adoc[Protocol Endpoints].
53
53
<2> A Spring Security filter chain for https://docs.spring.io/spring-security/reference/servlet/authentication/index.html[authentication].
54
-
<3> An instance of `UserDetailsService` for retrieving users to authenticate.
54
+
<3> An instance of {spring-security-api-base-url}/org/springframework/security/core/userdetails/UserDetailsService.html[`UserDetailsService`] for retrieving users to authenticate.
55
55
<4> An instance of xref:core-components.adoc#registered-client-repository[`RegisteredClientRepository`] for managing clients.
56
56
<5> An instance of `com.nimbusds.jose.jwk.source.JWKSource` for signing access tokens.
57
57
<6> An instance of `java.security.KeyPair` with keys generated on startup used to create the `JWKSource` above.
Copy file name to clipboardExpand all lines: docs/src/docs/asciidoc/guides/how-to-jpa.adoc
+21-3
Original file line number
Diff line number
Diff line change
@@ -4,12 +4,14 @@
4
4
:docs-dir: ..
5
5
:examples-dir: ../examples
6
6
7
-
[[getting-started]]
8
-
== Getting Started
9
-
10
7
This guide shows how to implement the xref:{docs-dir}/core-model-components.adoc#core-model-components[core services] of xref:{docs-dir}/index.adoc#top[Spring Authorization Server] with JPA.
11
8
The purpose of this guide is to provide a starting point for implementing these services yourself, with the intention that you can make modifications to suit your needs.
12
9
10
+
* <<define-data-model>>
11
+
* <<create-jpa-entities>>
12
+
* <<create-spring-data-repositories>>
13
+
* <<implement-core-services>>
14
+
13
15
[[define-data-model]]
14
16
== Define the data model
15
17
@@ -20,6 +22,10 @@ NOTE: Except for token, state, metadata, settings, and claims values, we use the
20
22
In reality, the length and even type of columns you use may need to be customized.
21
23
You are encouraged to experiment and test before deploying to production.
22
24
25
+
* <<client-schema>>
26
+
* <<authorization-schema>>
27
+
* <<authorization-consent-schema>>
28
+
23
29
[[client-schema]]
24
30
=== Client Schema
25
31
@@ -69,6 +75,10 @@ The preceding schema examples provide a reference for the structure of the entit
69
75
NOTE: The following entities are minimally annotated and are just examples.
70
76
They allow the schema to be created dynamically and therefore do not require the above sql scripts to be executed manually.
By closely examining the interfaces of each core service and reviewing the `Jdbc` implementations, we can derive a minimal set of queries needed for supporting a JPA version of each interface.
109
119
120
+
* <<client-repository>>
121
+
* <<authorization-repository>>
122
+
* <<authorization-consent-repository>>
123
+
110
124
[[client-repository]]
111
125
=== Client Repository
112
126
@@ -150,6 +164,10 @@ By reviewing the `Jdbc` implementations, we can derive a minimal set of internal
150
164
CAUTION: Keep in mind that writing JSON data to text columns with a fixed length has proven problematic with the `Jdbc` implementations.
151
165
While these examples continue to do so, you may need to split these fields out into a separate table or data store that supports arbitrarily long data values.
Copy file name to clipboardExpand all lines: docs/src/docs/asciidoc/guides/how-to-userinfo.adoc
+10-13
Original file line number
Diff line number
Diff line change
@@ -3,23 +3,21 @@
3
3
:index-link: ../how-to.html
4
4
:docs-dir: ..
5
5
6
-
[[getting-started]]
7
-
== Getting Started
8
-
9
6
This guide shows how to customize the xref:{docs-dir}/protocol-endpoints.adoc#oidc-user-info-endpoint[User Info endpoint] of the xref:{docs-dir}/index.adoc#top[Spring Authorization Server].
10
7
The purpose of this guide is to demonstrate how to enable the endpoint and use the available customization options to produce a custom response.
11
8
9
+
* <<enable-user-info>>
10
+
* <<customize-user-info>>
11
+
12
12
[[enable-user-info]]
13
13
== Enable the User Info Endpoint
14
14
15
-
Before customizing the response, you need to enable the User Info endpoint.
16
-
In https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest[Section 5.3.1], the OpenID Connect 1.0 Core specification states:
15
+
The xref:{docs-dir}/protocol-endpoints.adoc#oidc-user-info-endpoint[OpenID Connect 1.0 UserInfo endpoint] is an OAuth2 protected resource, which *REQUIRES* an access token to be sent as a bearer token in the https://openid.net/specs/openid-connect-core-1_0.html#UserInfoRequest[UserInfo request].
17
16
18
17
> The Access Token obtained from an OpenID Connect Authentication Request MUST be sent as a Bearer Token, per Section 2 of https://openid.net/specs/openid-connect-core-1_0.html#RFC6750[OAuth 2.0 Bearer Token Usage] [RFC6750].
19
18
20
-
The User Info endpoint requires an authenticated request using the access token (which is a JWT when using the xref:{docs-dir}/getting-started.adoc#sample.gettingStarted[Getting Started config]).
21
-
22
-
The following listing shows how to configure https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html[Resource Server support] and provide a `JwtDecoder` that can validate the access token to allow authenticated requests to the User Info endpoint.
19
+
Before customizing the response, you need to enable the User Info endpoint.
20
+
The following listing shows how to enable the {spring-security-reference-base-url}/servlet/oauth2/resource-server/jwt.html[OAuth2 resource server configuration].
23
21
24
22
[[sample.userinfo]]
25
23
include::code:EnableUserInfoSecurityConfig[]
@@ -37,14 +35,17 @@ This configuration provides the following:
37
35
38
36
The following sections describe some options for customizing the user info response.
39
37
38
+
* <<customize-id-token>>
39
+
* <<customize-user-info-mapper>>
40
+
40
41
[[customize-id-token]]
41
42
=== Customize the ID Token
42
43
43
44
By default, the user info response is generated by using claims from the `id_token` that are returned with the xref:{docs-dir}/protocol-endpoints.adoc#oauth2-token-endpoint[token response].
44
45
Using the default strategy, https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims[standard claims] are returned only with the user info response based on the https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims[requested scopes] during authorization.
45
46
46
47
The preferred way to customize the user info response is to add standard claims to the `id_token`.
47
-
The following listing shows how add claims to the `id_token`.
48
+
The following listing shows how to add claims to the `id_token`.
48
49
49
50
[[sample.userinfo.idtoken]]
50
51
include::code:IdTokenCustomizerConfig[]
@@ -83,7 +84,3 @@ Similar to the <<customize-id-token,example shown earlier>> where we customize c
83
84
include::code:JwtTokenCustomizerConfig[]
84
85
85
86
Whether you customize the user info response directly or use this example and customize the access token, you can look up information in a database, perform an LDAP query, make a request to another service, or use any other means of obtaining the information you want to be presented in the user info response.
86
-
87
-
== Conclusion
88
-
89
-
In this guide, you have learned how to <<enable-user-info,enable>> the xref:{docs-dir}/protocol-endpoints.adoc#oidc-user-info-endpoint[User Info endpoint] and explored various ways of customizing the response, including <<customize-id-token,customizing the ID token>> while continuing to use the built-in response and <<customize-user-info-mapper,customizing the response directly>> using a custom user info mapper.
Copy file name to clipboardExpand all lines: docs/src/docs/asciidoc/how-to.adoc
+1-12
Original file line number
Diff line number
Diff line change
@@ -2,18 +2,7 @@
2
2
= "How-to" Guides
3
3
4
4
[[how-to-overview]]
5
-
== Overview
5
+
== List of Guides
6
6
7
7
* xref:guides/how-to-userinfo.adoc[Customize the OpenID Connect 1.0 UserInfo response]
8
8
* xref:guides/how-to-jpa.adoc[Implement core services with JPA]
9
-
10
-
[[how-to-coming-soon]]
11
-
== Coming Soon
12
-
13
-
* Authenticate using social login, e.g. Google (https://github.com/spring-projects/spring-authorization-server/issues/538[#538])
14
-
* Authenticate a user in a Single Page Application with PKCE (https://github.com/spring-projects/spring-authorization-server/issues/539[#539])
15
-
* Deny access for a revoked JWT access token (https://github.com/spring-projects/spring-authorization-server/issues/543[#543])
16
-
* Provide a JWK source backed by a key rotation strategy (https://github.com/spring-projects/spring-authorization-server/issues/544[#544])
17
-
* Customize form based login (https://github.com/spring-projects/spring-authorization-server/issues/533[#533])
18
-
* Add a custom grant type (https://github.com/spring-projects/spring-authorization-server/issues/686[#686])
19
-
* Authenticate a user with two-factor authentication (https://github.com/spring-projects/spring-authorization-server/issues/534[#534])
0 commit comments