“Spring Authorization Server – From the basics – Second Edition” Book

With the desire to give you a complete guide on building an Authorization Server using Spring Authorization Server, I took the time to write the book “Spring Authorization Server – From the basics – Second Edition”.

You can buy this book here:

This book covers all the required features of an Authorization Server and has been supported by Spring Authorization Server. Updated to Spring Authorization Server version 1.1.3.

In this book, I show you how to implement an Authorization Server with Spring Authorization Server, show how to configure a RegisteredClient to support grant types in OAuth 2.1, including:

  • Authorization Code with and without PKCE grant type,
  • Client Credentials grant type,
  • Refresh Token grant type,
  • And Device Code grant type.

I also guide you through some operations related to access tokens in the chapter “Access token” and how to use the PKCS12 keystore file, the key files generated using OpenSSL to secure the access token.

In Chapter 7, I mentioned OpenID Connect and showed you how to configure the Authorization Server to be built using Spring Authorization Server, supporting OpenID Connect.

To save information about RegisteredClient, Authorization, and Authorization Consent to the database, you can read chapter “JDBC”.

Finally, to customize the login or consent screen pages of the Authorization Server, please read Chapter 9 “Customization”.

The table of contents for this book is as follows:

1. Introduction

  • 1.1 OAuth 2.1
  • 1.2 OpenID Connect
  • 1.3 Spring Authorization Server

2. Getting started

3. Configure Authorization Server

  • 3.1 Configuration for default endpoints
  • 3.2 Configure JSON Web Key
  • 3.3 Configure AuthorizationServerSettings
  • 3.4 Configure Spring Security
  • 3.5 Register client with Authorization Server
  • 3.6 Register user with Authorization Server
  • 3.7 OAuth Authorization Server Info

4. OAuth 2.1 grant types

  • 4.1 Authorization Code grant type
    • 4.1.1 Standard
    • 4.1.2 With PKCE
  • 4.2 Client Credentials grant type
  • 4.3 Refresh Token grant type
  • 4.4 Extension grant type
    • 4.4.1 Device Code grant type

5. Access token

  • 5.1 Change expiration time
  • 5.2 Change format
  • 5.3 Token introspection
  • 5.4 Token revocation
  • 5.5 Add more claims


  • 6.1 Define JSON Web Key Set using PKCS12 keystore file
    • 6.1.1 Generate PKCS12 keystore file
    • 6.1.2 Use PKCS12 keystore file
  • 6.2 Defines JSON Web Key Set using key file generated using OpenSSL
    • 6.2.1 Generate key files using OpenSSL
    • 6.2.2 Use key files

7. OpenID Connect

  • 7.1 ID Token
  • 7.2 User Info
  • 7.3 Client Registration
  • 7.4 Client Read
  • 7.5 Provider Configuration
  • 7.6 Logout


  • 8.1 RegisteredClient
  • 8.2 Authorization
  • 8.3 Authorization Consent

9. Customization

  • 9.1 Login
  • 9.2 Consent Screen
    • 9.2.1 Define request URI
    • 9.2.2 Define consent screen template
    • 9.2.3 Configure Authorization Server


  • A. Client types in OAuth 2.1

5 thoughts on ““Spring Authorization Server – From the basics – Second Edition” Book

  1. Hello. I have write spring authorization server. But whenever i restart my auth server, i lost my refresh tokens. In other words, they did not valid anymore. I want persist my tokens in database instread of in memory structure. Please help me how can i save my tokens in postgresql and i can reuse them even i restrart my auth server.

    1. This will need to add some customization. You can take a look at how the RegisteredClient, the Authorization, and the Authorization Consent are stored in the database, then add some new classes to do your need. I can have some guideline in my next edition of the “Spring Authorization Server – From the basics” book.

  2. Hi,
    I am glad that at last somebody brought together all the material that might help a developer build an enterprise scale Authorization Server in the Spring Framework world. However I am not sure if the book includes how to register users with permissions and claims in a database so that one can have authorization of the resources using the user’s permissions that exist in the database.
    Thanks for the reply in advance.

    1. Hello, I got your question and your need. But I’m not sure if it should be a part of an Authorization Server. I’m writing another book that will guide the developer to build an application with Microservice architecture, manage the user permissions, and authorize resources based on the user permissions from the database.
      I hope I will complete it soon.
      Best regards,

      1. Hi,
        Thanks for the reply. Is it possible to reveal the contents of the said book that you are writing?
        Best regards,

Add Comment