Master Spring Authorization Server: Build a Production-Ready OAuth2 Flow

On November 8, Spring officially recommended replacing the deprecated Spring Security OAuth2.0 with Spring Authorization Server , whose lifecycle ends in about six months. The new server is now production‑ready, and it’s time to learn it.

Current Spring Security Architecture

Spring Security 5.x modularizes OAuth2.0 Client and OAuth2.0 Resource Server . The core spring-boot-starter-security dependency is required.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

To add OAuth2.0 Client support:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

To add OAuth2.0 Resource Server support:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-oauth2-resource-server</artifactId>
</dependency>

To add OAuth2.0 Authorization Server support:

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-authorization-server</artifactId>
    <!-- current version -->
    <version>0.2.0</version>
</dependency>

With these dependencies, the three OAuth2.0 modules are ready.

Spring Authorization Server

The project is production‑ready. A simple demo was built to help learners understand the framework.

Demo Overview

The demo showcases the OAuth2.0 authorization_code grant type using two projects:

oauth2-client : acts as the OAuth2.0 client, initiating authorization requests.

oauth2-server : built with Spring Authorization Server, provides the authorization service.

The client starts the flow by calling the endpoint /oauth2/authorization/{registrationId}:

GET /oauth2/authorization/felord HTTP/1.1
Host: 127.0.0.1:8080

The OAuth2AuthorizationRequestRedirectFilter intercepts this request and redirects the user to the server:

GET /oauth2/authorize?response_type=code&client_id=felord-client&scope=message.read%20message.write&state=...&redirect_uri=http://127.0.0.1:8080/foo/bar HTTP/1.1
Host: localhost:9000

If the user is not logged in, the server returns a 401 and shows the login page. After submitting credentials:

POST /login HTTP/1.1
Host: localhost:9000
Content-Type: application/x-www-form-urlencoded

username=felord&password=password&_csrf=...

Successful login triggers a 302 redirect back to /oauth2/authorize. Because the demo requires user consent, the server displays a confirmation page:

After the user approves, the server redirects to the client with code and state parameters:

GET /foo/bar?code=...&state=... HTTP/1.1
Host: 127.0.0.1:8080

The client’s OAuth2AuthorizationCodeGrantFilter exchanges the code for a token:

POST /oauth2/token?grant_type=authorization_code&code=...&redirect_uri=https://127.0.0.1:8080/foo/bar HTTP/1.1
Host: localhost:9000
Authorization: Basic bWVzc2FnaW5nLWNsaWVudDpzZWNyZXQ=

The authentication method used is client-authentication-method: client_secret_basic .

The token is returned to the client. The following image shows the client authentication details:

Thus, the complete OAuth2.0 authorization‑code flow using Spring Authorization Server is demonstrated.

References

[1] Spring Security OAuth2.0: https://spring.io/projects/spring-security-oauth