Skip to content

OAuth 2.0 Features Matrix

Joe Grandja edited this page Oct 2, 2019 · 32 revisions

The following matrix outlines all the OAuth 2.0 features implemented by the various projects within the Spring portfolio. The matrix may be used to determine which project(s) to use based on your OAuth 2.0 requirements.

Note
Spring Security 5.0 introduced new Client support for the OAuth 2.0 Authorization Framework and OpenID Connect 1.0. Spring Security 5.1 introduced new Resource Server support as well as additional Client support for different grant types. The plan is to also provide support for Authorization Server in future releases. This matrix will be kept up-to-date as we complete new features.

For additional information, please see the Frequently Asked Questions.

Client Support

Spring Security (5.2+) Spring Security OAuth (2.2+) Spring Cloud Security (1.2+) Spring Boot OAuth2 (1.5.x)

Authorization Grants

Authorization Code

Implicit

Resource Owner Password Credentials

Client Credentials

Refresh Token

Client Authentication Methods

HTTP Basic

HTTP POST

HTTP Client Support

RestTemplate [1]

WebClient

User Authentication

OAuth 2.0 Login (SSO)

UserInfo Endpoint Support

Access Token Storage Management

In-Memory

JDBC

  1. RestTemplate may collaborate with DefaultOAuth2AuthorizedClientManager

Resource Server Support

Spring Security (5.2+) Spring Security OAuth (2.2+) Spring Cloud Security (1.2+) Spring Boot OAuth2 (1.5.x)

Access Token Formats

Opaque

JSON Web Token (JWT)

Access Token Usage

Token Relay

Access Token Verification

Opaque (using Introspection Endpoint)

JSON Web Signature (MAC)

JSON Web Signature (RSA)

JSON Web Signature (using JSON Web Key)

Custom JWT Claims Set Verifier

Authorization Server Support

Spring Security (5.2+) Spring Security OAuth (2.2+) Spring Cloud Security (1.2+) Spring Boot OAuth2 (1.5.x)

Authorization Grants

Authorization Code

Implicit

Resource Owner Password Credentials

Client Credentials

Refresh Token

Protocol Endpoints

Authorization Endpoint

Token Endpoint

User Approval Endpoint

Introspection Endpoint

Access Token Formats

Opaque

JSON Web Signature (MAC)

JSON Web Signature (RSA)

Access Token Storage Management

In-Memory

JDBC

Redis

Client Authentication Methods

HTTP Basic

HTTP POST

Client Registration Storage Management

JDBC

Authorization Code Storage Management

In-Memory

JDBC

User Approval Storage Management

In-Memory

JDBC

Frequently Asked Questions

  1. What is the future of OAuth 2.0 support in Spring Security?

    The next generation of OAuth 2.0 support is being added throughout the Spring Security 5 release train. As of Spring Security 5.2, there is built-in support for OAuth 2.0 Login, Client, and Resource Server, with a breakdown visible in the above matrix. We plan to continue to add features for Client and Resource Server pertaining to the OAuth 2.0 Core and Extensions, OpenID Connect 1.0 and Javascript Object Signing and Encryption (JOSE) specifications.

  2. Where can I find out more information on which OAuth 2.0 and OpenID Connect 1.0 features will be implemented in Spring Security 5?

    You may track upcoming features in the Spring Security GitHub repo using the in: oauth2 label.

  3. Where can I find samples and documentation for Spring Security 5 OAuth 2.0 support?

    Spring Security 5 introduced the new OAuth 2.0 Login feature along with a sample and detailed documentation. Several other OAuth 2.0 samples are available in the same repo. We will continue to provide samples and documentation as we build out new features.

  4. Are there new features being implemented in Spring Security OAuth 2.3+?

    We will provide bug/security fixes and consider adding minor features but we will not be adding major features. Our plan going forward is to build all the features currently in Spring Security OAuth into Spring Security 5.x. After Spring Security has reached feature parity with Spring Security OAuth, we will continue to support bugs and security fixes for at least one year.

  5. Does Spring Boot 2.0 provide support for Spring Security OAuth?

    Spring Boot 2.0 has dropped support for Spring Security OAuth. However, it provides support for OAuth 2.0 Login, OAuth 2.0 Client, and OAuth 2.0 Resource Server in Spring Security 5.

  6. Is there a way to integrate Spring Security OAuth in Spring Boot 2.0?

    The Spring Security OAuth Boot 2 Autoconfig project is a port of the Spring Security OAuth auto-configuration contained in Spring Boot 1.5.x. If you would like to use Spring Security OAuth in Spring Boot 2.0, you must explicitly include the following dependency in your project:

    • groupId: org.springframework.security.oauth.boot

    • artifactId: spring-security-oauth2-autoconfigure