BestHub
Sign in
Information Security 6 min read

Mastering JWT Bearer Grant in Spring Security 5.5 for OAuth2.0

Spring Security 5.5 introduces the JWT Bearer grant, an OAuth2.0 authorization mode defined in RFC7523, allowing clients to obtain access tokens using trusted JWTs and also to authenticate themselves, offering a streamlined alternative to traditional user‑approval flows.

Programmer DD
Programmer DD
Programmer DD
Mastering JWT Bearer Grant in Spring Security 5.5 for OAuth2.0

Today Spring Security 5.5 was released, adding support for OAuth2.0 and SAML2.0. The biggest highlight is the new OAuth2.0 authorization mode jwt-bearer, defined in RFC7523 (May 2015) and now implemented in Spring Security.

JWT Bearer Authorization Mode

OAuth2.0 defines four standard grant types:

Authorization Code Grant grant_type=authorization_code Implicit Grant response_type=token Password Grant grant_type=password Client Credentials Grant grant_type=client_credentials All these modes use a Bearer Token, and sometimes the token itself can be a JWT.

JWT Bearer Grant

The request must include grant_type set to urn:ietf:params:oauth:grant-type:jwt-bearer and an assertion containing a JWT. Optionally a scope can be sent.

grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

Example request:

POST /token/oauth2 HTTP/1.1
Host: felord.cn
Content-Type: application/x-www-form-urlencoded

grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

In this flow the client must already possess a JWT that the authorization server trusts; after validating the JWT the server issues an access token.

Client Authentication

RFC7523 also allows JWT Bearer for client authentication. The client sends client_assertion_type set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer and a client_assertion containing a JWT.

client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer

Example request:

POST /token/oauth2 HTTP/1.1
Host: felord.cn
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=...&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

Use Cases

This grant is useful when a client wants to obtain an access token based on an existing trusted JWT relationship without requiring explicit user approval at the authorization server.

It can also be used as a separate client authentication mechanism, where the JWT proves the client’s identity.

It’s convenient to use OAuth2.0 on top of an existing JWT ecosystem.

Conclusion

The article introduced the JWT Bearer grant defined in RFC7523 and its implementation in Spring Security 5.5. Although still emerging, it is gaining attention in the community and worth monitoring.

AuthenticationJWTOAuth2jwt-bearerspring-security
Programmer DD
Written by

Programmer DD

A tinkering programmer and author of "Spring Cloud Microservices in Action"

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment