Spring Authorization Server is an OAuth 2.1 and OpenID Connect 1.0 authorization server built on Spring Security. It implements the full protocol surface for issuing access and refresh tokens, including authorization code, client credentials, device code, and token exchange grants, as well as pushed authorization requests and user consent management. The server also functions as an OpenID Connect provider, supporting ID tokens, userinfo, discovery, logout, and dynamic client registration.
The project distinguishes itself through an extensible framework that allows custom grant types, pluggable token formats (self-contained JWTs or opaque references), DPoP proof-of-possession binding, and per-issuer tenancy for serving multiple isolated tenants on a single host. Client authentication supports shared secrets, signed JWTs, mutual TLS, and public clients with PKCE enforcement. Consent decisions can be persisted in a database or cache to avoid repeated authorization prompts.
Beyond core flows, the server provides standard protocol endpoints for introspection, revocation, and metadata discovery, along with token customization for adding, modifying, or removing claims. Core services such as the client repository and token generator can be replaced, and request processing can be customized per endpoint. The project offers out-of-the-box persistence via JPA or Redis for authorization state, and its default bootstrapping registers all required OAuth 2.1 and OpenID Connect endpoints automatically when used within a Spring Boot application.
