BestHub
Sign in
Information Security 7 min read

Deep Dive into Spring Authorization Server: Configuring OAuth2 Filters

This article explains the modular configuration of Spring Security's OAuth2 components, showcases the core config classes for client, resource, and authorization servers, and details the default filter chain and customizable filter configurers used by Spring Authorization Server.

Programmer DD
Programmer DD
Programmer DD
Deep Dive into Spring Authorization Server: Configuring OAuth2 Filters

We previously explored Spring Authorization Server and many readers want a deeper understanding, so this article examines the configuration and OAuth2.0 authorization server filters, providing insight into the overall architecture.

Modular configuration of Spring Security

Before proceeding, recall that the OAuth2.0 Client, Resource Server, and Authorization Server have been modularized within Spring Security. They achieve flexible modularity by sharing several common characteristics.

The core configuration class for the OAuth2.0 Client is:

public final class OAuth2ClientConfigurer<B extends HttpSecurityBuilder<B>> extends AbstractHttpConfigurer<OAuth2ClientConfigurer<B>, B> {
    // ...
}

The core configuration class for the OAuth2.0 Resource Server is:

public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<OAuth2ResourceServerConfigurer<H>, H> {
    // ...
}

The core configuration class for the OAuth2.0 Authorization Server is:

public final class OAuth2AuthorizationServerConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractHttpConfigurer<OAuth2AuthorizationServerConfigurer<H>, H> {
    // ...
}

All these config classes extend AbstractHttpConfigurer<T> and are ultimately loaded into Spring Security via HttpSecurity.apply(C configurer).

What inspiration does this mechanism give you? Can you implement custom functional configurations?

Filters of Spring Authorization Server

Based on version 0.2.0.

In the demo, Spring Authorization Server introduces the default authorization server functionality with the following bean:

@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
    // Authorization Server default configuration
    OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
    return http.formLogin(Customizer.withDefaults()).build();
}

This creates an independent SecurityFilterChain that loads the authorization server configuration. It is independent because the HttpSecurity instance is injected as a prototype bean in Spring IoC, and the related requests are processed by this filter chain.

OAuth2AuthorizationServerConfigurer

This class configures the SecurityFilterChain for Spring Authorization Server, handling the initialization of all related filters. Four filters can be customized via their respective Configurer classes:

OAuth2ClientAuthenticationConfigurer

Configures the OAuth2ClientAuthenticationFilter, which processes OAuth2.0 client authentication requests and looks up client registration information via OAuth2ClientAuthenticationToken. It intercepts the following endpoints: /oauth2/token – token endpoint. /oauth2/introspect – token introspection endpoint. /oauth2/revoke – token revocation endpoint.

OAuth2AuthorizationEndpointConfigurer

Configures the OAuth2AuthorizationEndpointFilter, which handles the OAuth 2.0 Authorization Code Grant request at /oauth2/authorize and includes user consent logic.

OAuth2TokenEndpointConfigurer

Configures the OAuth2TokenEndpointFilter, which processes requests to /oauth2/token and manages the lifecycle of OAuth2.0 tokens.

OidcConfigurer

Provides support for the OpenID Connect (OIDC) protocol with two filters: OidcClientRegistrationEndpointFilter – handles /connect/register for dynamic client registration. OidcProviderConfigurationEndpointFilter – serves OIDC provider metadata at /.well-known/openid-configuration.

Other filters

Beyond the configurable filters above, there are additional filters that cannot currently be customized: OAuth2TokenIntrospectionEndpointFilter – handles token introspection at /oauth2/introspect. OAuth2TokenRevocationEndpointFilter – handles token revocation. NimbusJwkSetEndpointFilter – serves JWK set information at /oauth2/jwks. OAuth2AuthorizationServerMetadataEndpointFilter – provides OAuth2.0 authorization server metadata at /.well-known/oauth-authorization-server. You can test it via http://localhost:9000/.well-known/oauth-authorization-server.

Summary

The above covers all server endpoints involved in Spring Authorization Server. Using the demo from the previous article, you can explore the filter logic of each endpoint. Currently there is no UserInfo endpoint; according to the Spring Authorization Server roadmap, it will be supported in the next version.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

JavaOAuth2Backend Securityspring-securitySpring Authorization Server
Programmer DD
Written by

Programmer DD

A tinkering programmer and author of "Spring Cloud Microservices in Action"

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment