Customized version of the spring authorization server

Spring Authorization Server

Customized from sample at https://github.com/spring-projects/spring-authorization-server.


To run this server you need at least a Java 17 runtime as this project uses spring boot 3.x.


Start the server by running the class com.example.spring.authorizationserver.SpringAuthorizationServerApplication.

Look up the OAuth2/OIDC configuration from http://localhost:9000/.well-known/openid-configuration to configure your clients and resource servers.

These are the most important configuration settings:

Configuration Parameter Value
issuer http://localhost:9000
authorization_endpoint http://localhost:9000/oauth2/authorize
token_endpoint http://localhost:9000/oauth2/token
jwks_uri http://localhost:9000/oauth2/jwks
userinfo_endpoint http://localhost:9000/userinfo
introspection_endpoint http://localhost:9000/oauth2/introspect

Registered Clients

This server comes with predefined registered OAuth2/OIDC clients:

Client ID Client-Secret PKCE Access Token Format
demo-client secret -- JWT
demo-client-pkce secret X JWT
demo-client-opaque secret -- Opaque
demo-client-pkce-opaque secret X Opaque

All clients have configured the following redirect URIs (including a special one for postman):

Please note: Instead of localhost the local ip is configured as redirect URI. This is because spring security does not allow redirects of clients to localhost addresses.


This server already has preconfigured users. Therefore, to login please use one of these predefined credentials:

Username Email Password Roles
bwayne bruce.wayne@example.com wayne USER
ckent clark.kent@example.com kent USER
pparker peter.parker@example.com parker USER, ADMIN


You may use the provided postman collections to try the authorization server endpoints and the registered clients. The collections (for both JWT and Opaque tokens) can be found in the postman folder.

Persistent Configuration Store

The authorization server uses a persistent H2 (in-memory) storage for configuration and stored tokens.

You may have a look inside the data using the H2 console. Please use jdbc:h2:mem:authzserver as jdbc url and sa as username, leave password empty.


This customized version contains an extended user object compared to the standard spring security user object. The contents of id and access tokens and user info endpoint information is customized for extended user data as well.

Check the spring authorization server reference docs for more information.

Configure information returned to the userinfo endpoint


@Configuration(proxyBeanMethods = false)
public class AuthorizationServerConfig {
    @Order(Ordered.HIGHEST_PRECEDENCE + 1)
    public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
        OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
                new OAuth2AuthorizationServerConfigurer();
        RequestMatcher endpointsMatcher = authorizationServerConfigurer

        Function<OidcUserInfoAuthenticationContext, OidcUserInfo> userInfoMapper = (context) -> {
            OidcUserInfoAuthenticationToken authentication = context.getAuthentication();
            JwtAuthenticationToken principal = (JwtAuthenticationToken) authentication.getPrincipal();

            return new OidcUserInfo(principal.getToken().getClaims());

                .oidc((oidc) -> oidc
                        .userInfoEndpoint((userInfo) -> userInfo
                .authorizeHttpRequests((authorize) -> authorize
                .csrf(csrf -> csrf.ignoringRequestMatchers(endpointsMatcher))
                .exceptionHandling(exceptions ->
                        exceptions.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/login"))
        return http.build();

Customize id and access token contents

public class JwtTokenCustomizerConfig {
    public OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer(OidcUserInfoService userInfoService) {
        return (context) -> {
            if (ID_TOKEN.equals(context.getTokenType().getValue()) || ACCESS_TOKEN.equals(context.getTokenType())) {
                OidcUserInfo userInfo = userInfoService.loadUser(
                context.getClaims().claims(claims ->


Any feedback on this project is highly appreciated.

Just email andreas.falk(at)novatec-gmbh.de or contact me via Twitter (@andifalk).


Apache 2.0 licensed


