OAuth 2.0 Features Matrix

Joe Grandja edited this page Jan 30, 2018 · 5 revisions

The following matrix outlines all the OAuth 2.0 features implemented by the various projects within the Spring portfolio. The matrix may be used to determine which project(s) to use based on your OAuth 2.0 requirements.

Note
Spring Security 5.0 introduced new Client support for the OAuth 2.0 Authorization Framework and OpenID Connect 1.0. The plan is to also provide support for Resource Server and Authorization Server in future releases. This matrix will be kept up-to-date as we complete new features.

For additional information, please see the Frequently Asked Questions.

Client Support

Spring Security (5.0+) Spring Security OAuth (2.2+) Spring Cloud Security (1.2+) Spring Boot OAuth2 (1.5.x)

Authorization Grants

Authorization Code

Implicit

Resource Owner Password Credentials

Client Credentials

Refresh Token

Client Authentication Methods

HTTP Basic

HTTP POST

HTTP Client Support

RestTemplate

WebClient

User Authentication

OAuth 2.0 Login (SSO)

UserInfo Endpoint Support

Access Token Usage

Token Relay

Access Token Storage Management

In-Memory

JDBC

Resource Server Support

Spring Security (5.0+) Spring Security OAuth (2.2+) Spring Cloud Security (1.2+) Spring Boot OAuth2 (1.5.x)

Access Token Formats

Opaque

JSON Web Token (JWT)

Access Token Verification

Opaque (using Introspection Endpoint)

JSON Web Signature (MAC)

JSON Web Signature (RSA)

JSON Web Signature (using JSON Web Key)

Custom JWT Claims Set Verifier

Authorization Server Support

Spring Security (5.0+) Spring Security OAuth (2.2+) Spring Cloud Security (1.2+) Spring Boot OAuth2 (1.5.x)

Authorization Grants

Authorization Code

Implicit

Resource Owner Password Credentials

Client Credentials

Refresh Token

Protocol Endpoints

Authorization Endpoint

Token Endpoint

User Approval Endpoint

Introspection Endpoint

Access Token Formats

Opaque

JSON Web Signature (MAC)

JSON Web Signature (RSA)

Access Token Storage Management

In-Memory

JDBC

Redis

Client Authentication Methods

HTTP Basic

HTTP POST

Client Registration Storage Management

JDBC

Authorization Code Storage Management

In-Memory

JDBC

User Approval Storage Management

In-Memory

JDBC

Frequently Asked Questions

  1. What is the future of OAuth 2.0 support in Spring Security?

    The next generation of OAuth 2.0 support is currently underway in Spring Security 5, as we introduced new Client support for the OAuth 2.0 Authorization Framework and OpenID Connect Core 1.0. The plan is to also provide support for Resource Server by mid-2018 and Authorization Server by the end of 2018 or early 2019 along with more extensive support for OAuth 2.0 Core and Extensions, OpenID Connect 1.0 and Javascript Object Signing and Encryption (JOSE).

  2. Where can I find out more information on which OAuth 2.0 and OpenID Connect 1.0 features will be implemented in Spring Security 5?

    You may track upcoming features in the Spring Security GitHub repo using the OAuth2, OIDC and JWT-JOSE labels.

  3. Where can I find samples and documentation for Spring Security 5 OAuth 2.0 support?

    Spring Security 5 introduced the new OAuth 2.0 Login feature along with a sample and detailed documentation. We will continue to provide samples and documentation as we build out new features.

  4. Are there new features being implemented in Spring Security OAuth 2.2+?

    We will provide bug/security fixes and consider adding minor features but we will not be adding major features. Our plan going forward is to build all the features currently in Spring Security OAuth into Spring Security 5.x. After Spring Security has reached feature parity with Spring Security OAuth, we will continue to support bugs and security fixes for at least one year.

  5. Does Spring Boot 2.0 provide support for Spring Security OAuth?

    Spring Boot 2.0 has dropped support for Spring Security OAuth. However, it provides support for the new OAuth 2.0 Login feature in Spring Security 5.

  6. Is there a way to integrate Spring Security OAuth in Spring Boot 2.0?

    The Spring Security OAuth Boot 2 Autoconfig project is a port of the Spring Security OAuth auto-configuration contained in Spring Boot 1.5.x. If you would like to use Spring Security OAuth in Spring Boot 2.0, you must explicitly include the following dependency in your project:

    • groupId: org.springframework.security.oauth.boot

    • artifactId: spring-security-oauth2-autoconfigure

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.