OAuth 2.0 Features Matrix
The following matrix outlines all the OAuth 2.0 Client, Resource Server and Authorization Server features implemented by the various projects within the Spring portfolio. The matrix may be used to determine which project(s) to use based on your OAuth 2.0 Client, Resource Server and Authorization Server requirements.
|
Note
|
Spring Security 5.0 introduced new Client support for the OAuth 2.0 Authorization Framework and OpenID Connect 1.0. Spring Security 5.1 introduced new Resource Server support as well as additional Client support for different grant types. Spring Security 5.2 continued this pattern, providing more support for Resource Server and Client. This matrix will be kept up-to-date as we complete new features. |
For additional information, please see the Frequently Asked Questions.
| Spring Security (5.4+) | Spring Security OAuth (2.5) | Spring Cloud Security (1.2+) | Spring Boot OAuth2 (1.5.x) | |
|---|---|---|---|---|
Authorization Grants |
||||
Authorization Code |
✔ |
✔ |
||
Implicit |
✔ |
|||
Resource Owner Password Credentials |
✔ |
✔ |
||
Client Credentials |
✔ |
✔ |
||
Refresh Token |
✔ |
✔ |
||
Client Authentication Methods |
||||
HTTP Basic |
✔ |
✔ |
||
HTTP POST |
✔ |
✔ |
||
HTTP Client Support |
||||
RestTemplate [1] |
✔ |
✔ |
||
WebClient |
✔ |
|||
User Authentication |
||||
OAuth 2.0 Login (SSO) |
✔ |
✔ |
||
UserInfo Endpoint Support |
✔ |
✔ |
||
Access Token Storage Management |
||||
In-Memory |
✔ |
|||
JDBC |
✔ |
✔ |
||
-
RestTemplate may collaborate with DefaultOAuth2AuthorizedClientManager to realize full support.
| Spring Security (5.4+) | Spring Security OAuth (2.5) | Spring Cloud Security (1.2+) | Spring Boot OAuth2 (1.5.x) | |
|---|---|---|---|---|
Access Token Formats |
||||
Opaque |
✔ |
✔ |
||
JSON Web Token (JWT) |
✔ |
✔ |
||
Access Token Usage |
||||
Token Relay |
✔ |
✔ |
||
Access Token Verification |
||||
Opaque (using Introspection Endpoint) |
✔ |
✔ |
||
JSON Web Signature (MAC) |
✔ |
✔ |
||
JSON Web Signature (RSA) |
✔ |
✔ |
||
JSON Web Signature (using JSON Web Key) |
✔ |
✔ |
||
Custom JWT Claims Set Verifier |
✔ |
✔ |
||
| Spring Authorization Server (0.2.0) | Spring Security OAuth (2.5) | Spring Cloud Security (1.2+) | Spring Boot OAuth2 (1.5.x) | |
|---|---|---|---|---|
Authorization Grants |
||||
Authorization Code |
✔ |
✔ |
||
Implicit |
Not implemented [1] |
✔ |
||
Resource Owner Password Credentials |
Not implemented [1] |
✔ |
||
Client Credentials |
✔ |
✔ |
||
Refresh Token |
✔ |
✔ |
||
Protocol Endpoints |
||||
Authorization Endpoint |
✔ |
✔ |
||
Token Endpoint |
✔ |
✔ |
||
User Consent Endpoint |
✔ |
✔ |
||
Introspection Endpoint |
✔ |
✔ |
||
Access Token Formats |
||||
Opaque |
✔ |
|||
JSON Web Signature (MAC) |
✔ |
✔ |
||
JSON Web Signature (RSA) |
✔ |
✔ |
||
Access Token Storage Management |
||||
In-Memory |
✔ |
✔ |
||
JDBC |
✔ |
✔ |
||
Redis |
✔ |
|||
Client Authentication Methods |
||||
HTTP Basic |
✔ |
✔ |
||
HTTP POST |
✔ |
✔ |
||
Client Registration Storage Management |
||||
In-Memory |
✔ |
✔ |
||
JDBC |
✔ |
✔ |
||
Authorization Code Storage Management |
||||
In-Memory |
✔ |
✔ |
||
JDBC |
✔ |
✔ |
||
User Consent Storage Management |
||||
In-Memory |
✔ |
✔ |
||
JDBC |
✔ |
✔ |
||
-
The Implicit grant and Resource Owner Password Credentials grant has been omitted (deprecated) from the OAuth 2.1 Authorization Framework.
-
What is the future of OAuth 2.0 support in Spring Security?
The next generation of OAuth 2.0 support is being added throughout the Spring Security 5 release train. As of Spring Security 5.2, there is built-in support for OAuth 2.0 Login, Client, and Resource Server, with a breakdown visible in the above matrix. We plan to continue to add features for Client and Resource Server pertaining to the OAuth 2.0 Core and Extensions, OpenID Connect 1.0 and Javascript Object Signing and Encryption (JOSE) specifications.
-
Where can I find out more information on which OAuth 2.0 and OpenID Connect 1.0 features will be implemented in Spring Security 5?
You may track upcoming features in the Spring Security GitHub repo using the in: oauth2 label.
-
Where can I find samples and documentation for Spring Security 5 OAuth 2.0 support?
Spring Security 5 introduced the new OAuth 2.0 Login feature along with a sample and detailed documentation. Several other OAuth 2.0 samples are available in the same repo. We will continue to provide samples and documentation as we build out new features.
-
Are there new features being implemented in Spring Security OAuth 2.3+?
We will provide bug/security fixes and consider adding minor enhancements. Our plan going forward is to build all the features currently in Spring Security OAuth into Spring Security 5.x. After Spring Security has reached feature parity with Spring Security OAuth, we will continue to support bugs and security fixes for at least one year.
-
Does Spring Boot 2.0 provide support for Spring Security OAuth?
Spring Boot 2.0 has dropped support for Spring Security OAuth. However, it provides support for OAuth 2.0 Login, OAuth 2.0 Client, and OAuth 2.0 Resource Server in Spring Security 5.
-
Is there a way to integrate Spring Security OAuth in Spring Boot 2.0?
The Spring Security OAuth Boot 2 Autoconfig project is a port of the Spring Security OAuth auto-configuration contained in Spring Boot 1.5.x. If you would like to use Spring Security OAuth in Spring Boot 2.0, you must explicitly include the following dependency in your project:
-
groupId:
org.springframework.security.oauth.boot -
artifactId:
spring-security-oauth2-autoconfigure
-