“Spring Authorization Server – From the basics” Ebook

With the desire to give you a complete guide on building an Authorization Server using Spring Authorization Server, I took the time to write the book “Spring Authorization Server – From the basics”. The Kindle version of this book is currently available on Amazon at https://www.amazon.com/dp/B09RZZ51HD.

This book covers all the required features of an Authorization Server and has been supported by Spring Authorization Server. Updated to Spring Authorization Server version 1.1.0.

In this book, I show you how to implement an Authorization Server with Spring Authorization Server, show how to configure a RegisteredClient to support grant types in OAuth 2.1, including:

  • Grant type Authorization Code with and without PKCE,
  • Grant type Client Credentials,
  • Grant type Refresh Token,
  • And Device Code.

I also guide you through some operations related to access tokens in the chapter “Access token” and how to use the PKCS12 keystore file to secure the access token.

In Chapter 6, I mentioned OpenID Connect and showed you how to configure the Authorization Server to be built using Spring Authorization Server, supporting OpenID Connect.

To save information about RegisteredClient, Authorization, and Authorization Consent to the database, you can read chapter “JDBC”.

And finally, to customize the login or consent screen pages of the Authorization Server, please read Chapter 8 “Customization”.

The table of contents for this book is as follows:

1. Introduction 

1.1 OAuth 2.1

1.2 OpenID Connect

1.3 Spring Authorization Server

2. Getting started

2.1 Configure Authorization Server

2.2 Configure Spring Security

2.3 Register client with Authorization Server

2.4 Register user with Authorization Server

2.5 Smoke test

2.6 OAuth Authorization Server Info

3. OAuth 2.1 grant types

3.1 Authorization Code grant type

3.1.1 Standard

3.1.2 With PKCE

3.2 Client Credentials grant type

3.3 Refresh Token grant type

3.4 Extension grant type

3.4.1 Grant type Device Code

4. Access token

4.1 Change expiration time

4.2 Token introspection

4.3 Token revocation

4.4 Add more claims


5.1 Generate PKCS12 keystore

5.2 Use PKCS12 keystore

6. OpenID Connect

6.1 ID Token

6.2 User Info

6.3 Client Registration

6.4 Client Read

6.5 Provider Configuration

6.6 Logout


7.1 RegisteredClient

7.2 Authorization

7.3 Authorization Consent

8. Customization

8.1 Login

8.2 Consent Screen

8.2.1 Define request URI

8.2.2 Define consent screen template

8.2.3 Configure Authorization Server


  1. Client types in OAuth 2.1

Add Comment