What’s New in Spring Authorization Server 0.2.3? Explore Key Features and Code
Spring Authorization Server 0.2.3 introduces default client settings for public clients, splits OAuth2 client authentication providers, optimizes the in‑memory authorization service, adds federated‑identity demos, unifies token generation via OAuth2TokenGenerator, and upgrades core dependencies, with code examples illustrating each enhancement.
0.2.3 version features
This release adds many new features.
Default settings for public clients
According to RFC6479, a client using the authorization_code grant with authentication method none is considered a public client; otherwise it is confidential. In version 0.2.3 a default ClientSettings is provided for public clients.
if (this.clientSettings == null) {
ClientSettings.Builder builder = ClientSettings.builder();
if (isPublicClientType()) {
// @formatter:off
builder
.requireProofKey(true)
.requireAuthorizationConsent(true);
// @formatter:on
}
this.clientSettings = builder.build();
}Public clients now must use PKCE in addition to the authorization_code flow.
OAuth2ClientAuthenticationProvider split
Spring Authorization Server now supports the following client authentication methods:
client_secret_basicclient_secret_postclient_secret_jwtprivate_key_jwtnonePreviously a single OAuth2ClientAuthenticationProvider handled all; responsibilities are now separated.
JwtClientAssertionAuthenticationProvider
Handles private_key_jwt and client_secret_jwt. A complete demo is available.
ClientSecretAuthenticationProvider
Handles the default client_secret_basic and client_secret_post methods.
PublicClientAuthenticationProvider
Processes authentication for public clients.
InMemoryOAuth2AuthorizationService optimization
Introduces an eviction policy for incomplete OAuth2Authorization entries; when more than 100 entries are stored, the oldest are removed.
Federated Identity demo added
The Federated Identity Pattern allows multiple IDPs to be managed under Spring Authorization Server, centralizing authentication and authorization.
OAuth2TokenGenerator
Version 0.2.3 abstracts token generation with the OAuth2TokenGenerator interface.
@FunctionalInterface
public interface OAuth2TokenGenerator<T extends OAuth2Token> {
@Nullable
T generate(OAuth2TokenContext context);
}Authorization code token generation
Authorization code generation now uses an OAuth2TokenGenerator implementation called OAuth2AuthorizationCodeGenerator.
Refresh token generation
Refresh token generation also uses OAuth2TokenGenerator.
JWT generation
JWT generation is handled by the JwtGenerator implementation of OAuth2TokenGenerator.
Support for opaque tokens
You can provide a custom OAuth2TokenGenerator bean to implement opaque token generation.
Customizable token introspection filter configuration
Before 0.2.3, token introspection configuration was handled by OAuth2AuthorizationServerConfigurer. It has been moved to a dedicated OAuth2TokenIntrospectionEndpointConfigurer class.
Dependency upgrades
Reactor 2020.0.16
Spring Security 5.5.5
Spring Framework 5.3.16
Spring Boot 2.5.10
胖哥 also continues to upgrade dependencies gradually.
Reference links:
[1] My column: https://blog.csdn.net/qq_35067322/category_11691173.html
[2] Demo: https://gitee.com/felord/spring-security-oauth2-tutorial
[3] Token introspection configuration: https://felord.blog.csdn.net/article/details/123634847
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.