# spring-projects/spring-authorization-server **Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/spring-projects-spring-authorization-server).** 5,087 stars · 1,357 forks · Java · apache-2.0 ## Links - GitHub: https://github.com/spring-projects/spring-authorization-server - Homepage: https://spring.io/projects/spring-authorization-server - awesome-repositories: https://awesome-repositories.com/repository/spring-projects-spring-authorization-server.md ## Description Spring Authorization Server is an OAuth 2.1 and OpenID Connect 1.0 authorization server built on Spring Security. It implements the full protocol surface for issuing access and refresh tokens, including authorization code, client credentials, device code, and token exchange grants, as well as pushed authorization requests and user consent management. The server also functions as an OpenID Connect provider, supporting ID tokens, userinfo, discovery, logout, and dynamic client registration. The project distinguishes itself through an extensible framework that allows custom grant types, pluggable token formats (self-contained JWTs or opaque references), DPoP proof-of-possession binding, and per-issuer tenancy for serving multiple isolated tenants on a single host. Client authentication supports shared secrets, signed JWTs, mutual TLS, and public clients with PKCE enforcement. Consent decisions can be persisted in a database or cache to avoid repeated authorization prompts. Beyond core flows, the server provides standard protocol endpoints for introspection, revocation, and metadata discovery, along with token customization for adding, modifying, or removing claims. Core services such as the client repository and token generator can be replaced, and request processing can be customized per endpoint. The project offers out-of-the-box persistence via JPA or Redis for authorization state, and its default bootstrapping registers all required OAuth 2.1 and OpenID Connect endpoints automatically when used within a Spring Boot application. ## Tags ### Security & Cryptography - [Authorization Server Implementations](https://awesome-repositories.com/f/security-cryptography/oauth-authentication/authorization-server-implementations.md) — Issues access and refresh tokens using standard OAuth 2.1 grants and client authentication methods. - [Pluggable Token Formats](https://awesome-repositories.com/f/security-cryptography/access-tokens/pluggable-token-formats.md) — This OAuth 2.1 and OpenID Connect authorization server generates access tokens in either self-contained JWT format or opaque reference tokens as configured. ([source](https://docs.spring.io/spring-authorization-server/reference/1.3/overview.html)) - [Client Authentication Configurations](https://awesome-repositories.com/f/security-cryptography/authentication-clients/client-authentication-configurations.md) — Supports client authentication via shared secrets, signed JWTs, mutual TLS, and public clients with PKCE enforcement. - [Custom OAuth Grant Types](https://awesome-repositories.com/f/security-cryptography/custom-oauth-grant-types.md) — This OAuth 2.1 and OpenID Connect authorization server allows defining new authorization grant types by implementing custom authentication converters and providers. ([source](https://docs.spring.io/spring-authorization-server/reference/guides/how-to-ext-grant-type.html)) - [OAuth 2.0 Authorization Flows](https://awesome-repositories.com/f/security-cryptography/oauth-2-0-authorization-flows.md) — Processes authorization code, client credentials, refresh token, device code, and token exchange grant flows with user consent. ([source](https://docs.spring.io/spring-authorization-server/reference/1.3/overview.html)) - [OAuth 2.1 Implementations](https://awesome-repositories.com/f/security-cryptography/oauth-authentication/oauth-2-1-implementations.md) — Implements the full set of OAuth 2.1 and OpenID Connect protocol endpoints with dedicated request parsing and response construction for each action. - [Authorization Metadata](https://awesome-repositories.com/f/security-cryptography/oauth-providers/authorization-metadata.md) — This OAuth 2.1 and OpenID Connect authorization server publishes its configuration, endpoints, and public signing keys via standard discovery documents and JWK set endpoints. ([source](https://docs.spring.io/spring-authorization-server/reference/protocol-endpoints.html)) - [OpenID Connect Providers](https://awesome-repositories.com/f/security-cryptography/openid-connect-providers.md) — Authenticates end users and provides identity claims and ID tokens for single sign-on across applications. - [Per-Issuer Tenant Isolations](https://awesome-repositories.com/f/security-cryptography/per-issuer-tenant-isolations.md) — This OAuth 2.1 and OpenID Connect authorization server serves multiple tenants by isolating client registrations and user stores, running multiple issuers on a single host. ([source](https://docs.spring.io/spring-authorization-server/reference/how-to.html)) - [Token Introspection and Revocation Endpoints](https://awesome-repositories.com/f/security-cryptography/security/policies/token-validation/token-introspection-and-revocation-endpoints.md) — This OAuth 2.1 and OpenID Connect authorization server validates active token state through introspection and invalidates tokens via revocation endpoints. ([source](https://docs.spring.io/spring-authorization-server/reference/protocol-endpoints.html)) - [Token Claim Customizations](https://awesome-repositories.com/f/security-cryptography/token-based-authentication/oauth2-access-token-issuance/token-claim-customizations.md) — This OAuth 2.1 and OpenID Connect authorization server allows adding, replacing, or removing custom claims on JWT access tokens and OpenID Connect ID tokens. ([source](https://docs.spring.io/spring-authorization-server/reference/how-to.html)) - [Pushed Authorization Requests](https://awesome-repositories.com/f/security-cryptography/token-based-authorization/token-operator-authorizations/request-authorizations/pushed-authorization-requests.md) — This OAuth 2.1 and OpenID Connect authorization server accepts pushed authorization requests submitted directly by the client, returning a request URI for later use. ([source](https://docs.spring.io/spring-authorization-server/reference/protocol-endpoints.html)) - [Custom Client Authentication Converters and Providers](https://awesome-repositories.com/f/security-cryptography/authentication-clients/client-authentication-configurations/custom-client-authentication-converters-and-providers.md) — This OAuth 2.1 and OpenID Connect authorization server allows adding, removing, or customizing converters and providers that extract and verify client credentials from incoming requests. ([source](https://docs.spring.io/spring-authorization-server/reference/configuration-model.html)) - [Persistent Consent Stores](https://awesome-repositories.com/f/security-cryptography/consent-management/persistent-consent-stores.md) — Stores and retrieves resource owner consent decisions to avoid repeating authorization prompts across sessions. - [Token Claim Injectors](https://awesome-repositories.com/f/security-cryptography/custom-attribution-tracking/authentication-claims/token-claim-injectors.md) — Adds custom claims to access tokens and UserInfo responses to include application-specific user attributes and roles. - [DPoP Proof Verifications](https://awesome-repositories.com/f/security-cryptography/dpop-proof-verifications.md) — Provides DPoP proof verification to bind access tokens to client public keys and prevent replay attacks. - [UserInfo Endpoints](https://awesome-repositories.com/f/security-cryptography/openid-connect-providers/userinfo-endpoints.md) — This OAuth 2.1 and OpenID Connect authorization server provides the standard OpenID Connect UserInfo endpoint returning identity claims about an authenticated user. ([source](https://docs.spring.io/spring-authorization-server/reference/guides/how-to-userinfo.html)) - [External Provider Integrations](https://awesome-repositories.com/f/security-cryptography/social-login-providers/external-provider-integrations.md) — This OAuth 2.1 and OpenID Connect authorization server authenticates users through OAuth2 authorization code flow with external providers like Google or GitHub, mapping claims and federated registration. ([source](https://docs.spring.io/spring-authorization-server/reference/how-to.html)) ### Data & Databases - [OAuth State Persistence Backends](https://awesome-repositories.com/f/data-databases/oauth-state-persistence-backends.md) — Provides storage for client registrations, consents, and authorization codes using JPA or Redis. ([source](https://docs.spring.io/spring-authorization-server/reference/how-to.html)) - [Authorization Policy Isolators](https://awesome-repositories.com/f/data-databases/multi-tenant-data-management/authorization-policy-isolators.md) — Serves multiple independent tenants with isolated client registrations and user stores within a single authorization server instance. ### DevOps & Infrastructure - [OAuth 2.1 and OpenID Connect Server Bootstrapping](https://awesome-repositories.com/f/devops-infrastructure/configuration-management/server-and-site-configuration/oauth-2-1-and-openid-connect-server-bootstrapping.md) — This OAuth 2.1 and OpenID Connect authorization server provides a minimal default configuration that registers all required OAuth2 and OpenID Connect protocol endpoints and infrastructure. ([source](https://docs.spring.io/spring-authorization-server/reference/configuration-model.html)) ### Software Engineering & Architecture - [Spring Boot Integrations](https://awesome-repositories.com/f/software-engineering-architecture/spring-boot-integrations.md) — Provides a customizable OAuth 2.1 and OpenID Connect authorization server built on Spring Security within a Spring Boot application. ### Development Tools & Productivity - [Static](https://awesome-repositories.com/f/development-tools-productivity/dynamic-configuration-providers/dynamic-provider-registration/dynamic-client-registrations/static.md) — This OAuth 2.1 and OpenID Connect authorization server registers OAuth2 client metadata either statically or dynamically per the OpenID Connect protocol, including identifiers, secrets, and grants. ([source](https://docs.spring.io/spring-authorization-server/reference/protocol-endpoints.html)) ### Networking & Communication - [OAuth 2.1 Core Service Replacements](https://awesome-repositories.com/f/networking-communication/tcp-connection-lifecycles/tcp-client-connections/custom-protocol-servers/oauth-2-1-core-service-replacements.md) — This OAuth 2.1 and OpenID Connect authorization server allows replacing core services like client repository and token generator, and customizing request processing for each protocol endpoint. ([source](https://docs.spring.io/spring-authorization-server/reference/configuration-model.html))