In Spring Security 6.2 and 6.3, we have worked to steadily improve configuration for applications using OAuth2 Client. Configuration for common use cases has been simplified by allowing applications to publish beans which are automatically included in the overall OAuth2 Client configuration during application startup. Recent improvements include:

• Extension grant types can be enabled simply by publishing a bean of type OAuth2AuthorizedClientProvider (or ReactiveOAuth2AuthorizedClientProvider)
• OAuth 2.0 Access Token Requests can be extended with custom parameters simply by publishing one or more beans of type OAuth2AccessTokenResponseClient (or ReactiveOAuth2AccessTokenResponseClient)
• Spring Security automatically publishes a bean of type OAuth2AuthorizedClientManager (or ReactiveOAuth2AuthorizedClientManager) if one is not already published, requiring less boilerplate configuration when an application needs to obtain access tokens
…

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 6.3.4, 6.2.7, and 5.8.15 are available now. In all cases, the releases are mostly composed of bug fixes, dependency upgrades, and documentation improvements.

To learn more, please visit the 6.3.4, 6.2.7, and 5.8.15 release summaries.

Project Site | Reference | Help

On behalf of the team and everyone who has contributed, I am pleased to announce that the first release candidate of Spring Security 6.4 is available.

This release brings several compelling features including:

• Support for Passkeys
• Support for making access token requests with RestClient
• Improved support for making access token requests with WebClient
• Support for building a ClientRegistration from provided configuration
• AuthorizationManager now returns an AuthorizationResult
• AuthorizationEventPublisher now accepts an AuthorizationResult
• Support for extracting nested authorities via SpEL expressions
• Security Observations are now selectable
…

On behalf of the team and everyone who has contributed, it is my pleasure to announce the release of Spring Authorization Server 1.3.0-M3! The milestone release of Spring Authorization Server contains a few noteworthy new features:

• Add PKI Mutual-TLS client authentication method (tls_client_auth) #1558
• Implement OAuth 2.0 Token Exchange #1525 (see related blog post)

See the 1.3.0-M3 release notes for complete details.

To get started using Spring Authorization Server, see the Getting Started chapter of the reference documentation and the samples to become familiar with setup and configuration…

I'm excited to share that there will be support for the OAuth 2.0 Token Exchange Grant (RFC 8693) in Spring Security 6.3, which is available for preview now in the latest milestone (6.3.0-M3). This support provides the ability to use Token Exchange with OAuth2 Client. Similarly, server-side support is also shipping with Spring Authorization Server in 1.3 and is available for preview now in the latest milestone (1.3.0-M3).

OAuth2 Client features of Spring Security allow us to easily make protected resources requests to an API secured with OAuth2 bearer tokens. Similarly, OAuth2 Resource Server…

On behalf of the team and everyone who has contributed, I am pleased to announce that the Spring Security 5.8.8, 6.0.8, 6.1.5 and 6.2.0-RC2 versions are available now.

Please refer to the releases page for more detail on what is included in each release. In particular, you can review the release notes for each milestone that will make up the 6.2.0 release (6.2.0-M1, 6.2.0-M2, 6.2.0-M3, 6.2.0-RC1, 6.2.0-RC2) next month.

We encourage you to take the latest release candidate for a spin and provide any feedback you have! Some notable changes available in the 6.2 release candidate include:

• Add with() method to apply SecurityConfigurerAdapter #13432
• Automatically enable .cors() if CorsConfigurationSource bean is present #5011
• Simplify configuration of OAuth2 Client component model #13587 (blog post, docs)
• Add OIDC Back-channel Logout Support #7845 (docs)
• Test coverage for virtual threads #12790, #12791
• Add servlet pattern support to AuthorizeHttpRequests #13857 (docs)
…

In Spring Security 5, we saw many developments in the OAuth2 story with the introduction of OAuth2 Resource Server and OAuth2 Client into the framework.

Today, it is quite convenient to develop applications that are secured by OAuth2 using the features available in OAuth2 Resource Server. Additionally, we can take advantage OAuth2 Client features to integrate with OAuth 2.0 and OpenID Connect 1.0 providers, making it possible to authenticate users with OAuth2 Login and/or make protected requests to applications secured by OAuth2.

However, the OAuth2 landscape is very complex, and customization…

Today, I'm excited to announce that you have a new superpower: creating applications with Spring Authorization Server on Spring Initializr!

That's right, it's time to begin your OAuth2 journey and become the hero you always knew you could be! In this post, I'll explain how you can get the most from your new superpower and where to go to learn more.

What is Spring Authorization Server?

Spring Authorization Server is an open-source framework built on top of Spring Security that allows you to create your own standards-based OAuth2 Authorization Server or OpenID Connect Provider. It implements…

On behalf of the team and everyone who has contributed, we are very excited to announce the general availability of Spring Security 6.1!

In addition to bug fixes and dependency upgrades, the 6.1 release brings many new features including:

• AuthorizationManager enhancements

• OAuth2 enhancements

• SAML2 enhancements

• RequestMatcher enhancements

• Refreshed documentation pages and navigation improvements

Check out What’s New in Spring Security 6.1 for a comprehensive list of new features.

You can also see the release notes for 6.1.0-M1, 6.1.0-M2, 6.1.0-RC1, and 6.1.0 for an in-depth view.

…

On behalf of the team and everyone who has contributed, it is my pleasure to announce the general availability of Spring Authorization Server 1.1.0-M2.

The main feature delivered in this release is support for OAuth 2.0 Device Authorization Grant (gh-1106).

See the release notes for complete details.

To get started using Spring Authorization Server, see the Getting Started chapter of the reference documentation and the samples to become familiar with setup and configuration.

Project Page | GitHub Issues | ZenHub Board