首頁 探索 說明
註冊 登入
github
/
spring-security
镜像来自 https://github.com/spring-projects/spring-security
2
0
複刻 0
Files 問題管理 0 Wiki
目錄樹: e99ea033c5
分支列表 標籤列表
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
servlet
/
oauth2
/
authorization-server
/
index.adoc

index.adoc 8.5 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117 
  1. [[oauth2AuthorizationServer]]
    2. 

  2. = OAuth 2.1 Authorization Server
    3. 

  3. :page-section-summary-toc: 1
    4. 

  4. 

  5. The OAuth 2.1 Authorization Server features provide support for the Authorization Server role as defined in the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-1.1[OAuth 2.1 Authorization Framework].
    6. 

  6. 

  7. The Authorization Server features provide implementations of the https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[OAuth 2.1] and https://openid.net/specs/openid-connect-core-1_0.html[OpenID Connect 1.0] specifications and other related specifications.
    8. 

  8. It provides a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth 2.1 Authorization Server products.
    9. 

  9. 

  10. [[oauth2AuthorizationServer-use-cases]]
    11. 

  11. == Use Cases
    12. 

  12. 

  13. The following list provides some use cases for using Spring Security Authorization Server compared to using an open source or commercial OAuth2 or OpenID Connect 1.0 Provider product.
    14. 

  14. 

  15. * Provides full control of configuration and customization when advanced customization scenarios are required.
    16. 

  16. * Preference for a light-weight authorization server compared to a commercial product that includes all the "bells and whistles".
    17. 

  17. * Potential savings in software licensing and/or hosting costs.
    18. 

  18. * Quick startup and ease of use during development using the familiar Spring programming model.
    19. 

  19. 

  20. [[oauth2AuthorizationServer-feature-list]]
    21. 

  21. == Feature List
    22. 

  22. 

  23. Spring Security Authorization Server supports the following features:
    24. 

  24. 

  25. [cols="2a,4a,6a"]
    26. 

  26. |===
    27. 

  27. |Category |Feature |Related specifications
    28. 

  28. 

  29. |xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-endpoint[Authorization Grant]
    30. 

  30. |
    31. 

  31. * Authorization Code
    32. 

  32. ** xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-authorization-endpoint[User Consent]
    33. 

  33. * Client Credentials
    34. 

  34. * Refresh Token
    35. 

  35. * Device Code
    36. 

  36. ** xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-verification-endpoint[User Consent]
    37. 

  37. * Token Exchange
    38. 

  38. |
    39. 

  39. * The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[draft])
    40. 

  40. ** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.1[Authorization Code Grant]
    41. 

  41. ** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.2[Client Credentials Grant]
    42. 

  42. ** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-4.3[Refresh Token Grant]
    43. 

  43. * OpenID Connect Core 1.0 (https://openid.net/specs/openid-connect-core-1_0.html[spec])
    44. 

  44. ** https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authorization Code Flow]
    45. 

  45. * OAuth 2.0 Device Authorization Grant
    46. 

  46. (https://tools.ietf.org/html/rfc8628[spec])
    47. 

  47. ** https://tools.ietf.org/html/rfc8628#section-3[Device Flow]
    48. 

  48. * OAuth 2.0 Token Exchange (https://datatracker.ietf.org/doc/html/rfc8693[spec])
    49. 

  49. ** https://datatracker.ietf.org/doc/html/rfc8693#section-2[Token Exchange Flow]
    50. 

  50. 

  51. |xref:servlet/oauth2/authorization-server/core-model-components.adoc#oauth2AuthorizationServer-oauth2-token-generator[Token Formats]
    52. 

  52. |
    53. 

  53. * Self-contained (JWT)
    54. 

  54. * Reference (Opaque)
    55. 

  55. |
    56. 

  56. * JSON Web Token (JWT) (https://tools.ietf.org/html/rfc7519[RFC 7519])
    57. 

  57. * JSON Web Signature (JWS) (https://tools.ietf.org/html/rfc7515[RFC 7515])
    58. 

  58. 

  59. |Token Types
    60. 

  60. |
    61. 

  61. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-endpoint-dpop-bound-access-tokens[DPoP-bound Access Tokens]
    62. 

  62. |
    63. 

  63. * OAuth 2.0 Demonstrating Proof of Possession (DPoP) (https://datatracker.ietf.org/doc/html/rfc9449[RFC 9449])
    64. 

  64. 

  65. |xref:servlet/oauth2/authorization-server/configuration-model.adoc#oauth2AuthorizationServer-configuring-client-authentication[Client Authentication]
    66. 

  66. |
    67. 

  67. * `client_secret_basic`
    68. 

  68. * `client_secret_post`
    69. 

  69. * `client_secret_jwt`
    70. 

  70. * `private_key_jwt`
    71. 

  71. * `tls_client_auth`
    72. 

  72. * `self_signed_tls_client_auth`
    73. 

  73. * `none` (public clients)
    74. 

  74. |
    75. 

  75. * The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-2.4[Client Authentication])
    76. 

  76. * JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication (https://tools.ietf.org/html/rfc7523[RFC 7523])
    77. 

  77. * OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens (https://datatracker.ietf.org/doc/html/rfc8705[RFC 8705])
    78. 

  78. * Proof Key for Code Exchange by OAuth Public Clients (PKCE) (https://tools.ietf.org/html/rfc7636[RFC 7636])
    79. 

  79. 

  80. |xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc[Protocol Endpoints]
    81. 

  81. |
    82. 

  82. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-authorization-endpoint[OAuth2 Authorization Endpoint]
    83. 

  83. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-pushed-authorization-request-endpoint[OAuth2 Pushed Authorization Request Endpoint]
    84. 

  84. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-authorization-endpoint[OAuth2 Device Authorization Endpoint]
    85. 

  85. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-device-verification-endpoint[OAuth2 Device Verification Endpoint]
    86. 

  86. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-endpoint[OAuth2 Token Endpoint]
    87. 

  87. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-introspection-endpoint[OAuth2 Token Introspection Endpoint]
    88. 

  88. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-token-revocation-endpoint[OAuth2 Token Revocation Endpoint]
    89. 

  89. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oauth2-authorization-server-metadata-endpoint[OAuth2 Authorization Server Metadata Endpoint]
    90. 

  90. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-jwk-set-endpoint[JWK Set Endpoint]
    91. 

  91. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-provider-configuration-endpoint[OpenID Connect 1.0 Provider Configuration Endpoint]
    92. 

  92. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-logout-endpoint[OpenID Connect 1.0 Logout Endpoint]
    93. 

  93. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-user-info-endpoint[OpenID Connect 1.0 UserInfo Endpoint]
    94. 

  94. * xref:servlet/oauth2/authorization-server/protocol-endpoints.adoc#oauth2AuthorizationServer-oidc-client-registration-endpoint[OpenID Connect 1.0 Client Registration Endpoint]
    95. 

  95. |
    96. 

  96. * The OAuth 2.1 Authorization Framework (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07[draft])
    97. 

  97. ** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-3.1[Authorization Endpoint]
    98. 

  98. ** https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-07#section-3.2[Token Endpoint]
    99. 

  99. * OAuth 2.0 Pushed Authorization Requests (https://datatracker.ietf.org/doc/html/rfc9126[RFC 9126])
    100. 

  100. ** https://datatracker.ietf.org/doc/html/rfc9126#section-2[Pushed Authorization Request Endpoint]
    101. 

  101. * OAuth 2.0 Device Authorization Grant (https://tools.ietf.org/html/rfc8628[RFC 8628])
    102. 

  102. ** https://tools.ietf.org/html/rfc8628#section-3.1[Device Authorization Endpoint]
    103. 

  103. ** https://tools.ietf.org/html/rfc8628#section-3.3[Device Verification Endpoint]
    104. 

  104. * OAuth 2.0 Token Introspection (https://tools.ietf.org/html/rfc7662[RFC 7662])
    105. 

  105. * OAuth 2.0 Token Revocation (https://tools.ietf.org/html/rfc7009[RFC 7009])
    106. 

  106. * OAuth 2.0 Authorization Server Metadata (https://tools.ietf.org/html/rfc8414[RFC 8414])
    107. 

  107. * JSON Web Key (JWK) (https://tools.ietf.org/html/rfc7517[RFC 7517])
    108. 

  108. * OpenID Connect Discovery 1.0 (https://openid.net/specs/openid-connect-discovery-1_0.html[spec])
    109. 

  109. ** https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig[Provider Configuration Endpoint]
    110. 

  110. * OpenID Connect RP-Initiated Logout 1.0 (https://openid.net/specs/openid-connect-rpinitiated-1_0.html[spec])
    111. 

  111. ** https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout[Logout Endpoint]
    112. 

  112. * OpenID Connect Core 1.0 (https://openid.net/specs/openid-connect-core-1_0.html[spec])
    113. 

  113. ** https://openid.net/specs/openid-connect-core-1_0.html#UserInfo[UserInfo Endpoint]
    114. 

  114. * OpenID Connect Dynamic Client Registration 1.0 (https://openid.net/specs/openid-connect-registration-1_0.html[spec])
    115. 

  115. ** https://openid.net/specs/openid-connect-registration-1_0.html#ClientRegistration[Client Registration Endpoint]
    116. 

  116. ** https://openid.net/specs/openid-connect-registration-1_0.html#ClientConfigurationEndpoint[Client Configuration Endpoint]
    117. 

  117. |===
    118.