对于最新的稳定版本，请使用 Spring Authorization Server 1.4.2！spring-doc.cadn.net.cn

协议端点

OAuth2 授权端点

OAuth2AuthorizationEndpointConfigurer提供自定义 OAuth2 授权端点的功能。它定义了扩展点，允许您自定义 OAuth2 授权请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2AuthorizationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.authorizationEndpoint(authorizationEndpoint ->
			authorizationEndpoint
				.authorizationRequestConverter(authorizationRequestConverter)   (1)
				.authorizationRequestConverters(authorizationRequestConvertersConsumer) (2)
				.authenticationProvider(authenticationProvider) (3)
				.authenticationProviders(authenticationProvidersConsumer)   (4)
				.authorizationResponseHandler(authorizationResponseHandler) (5)
				.errorResponseHandler(errorResponseHandler) (6)
				.consentPage("/oauth2/v1/authorize")    (7)
		);

	return http.build();
}

1	`authorizationRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 授权请求（或同意）时使用`HttpServletRequest`添加到`OAuth2AuthorizationCodeRequestAuthenticationToken`或`OAuth2AuthorizationConsentAuthenticationToken`.
2	`authorizationRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2AuthorizationCodeRequestAuthenticationToken`或`OAuth2AuthorizationConsentAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`authorizationResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OAuth2AuthorizationCodeRequestAuthenticationToken`并返回 OAuth2AuthorizationResponse。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthorizationCodeRequestAuthenticationException`并返回 OAuth2Error 响应。
7	`consentPage()`：这`URI`，以便在授权请求流程中将资源所有者重定向到是否需要同意。

OAuth2AuthorizationEndpointConfigurer配置OAuth2AuthorizationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2AuthorizationEndpointFilter是Filter处理 OAuth2 授权请求（和同意）。spring-doc.cadn.net.cn

OAuth2AuthorizationEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个DelegatingAuthenticationConverter组成OAuth2AuthorizationCodeRequestAuthenticationConverter和OAuth2AuthorizationConsentAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2AuthorizationCodeRequestAuthenticationProvider和OAuth2AuthorizationConsentAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2AuthorizationCodeRequestAuthenticationToken并返回OAuth2AuthorizationResponse.spring-doc.cadn.net.cn
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthorizationCodeRequestAuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

自定义授权请求验证

OAuth2AuthorizationCodeRequestAuthenticationValidator是用于验证授权码授予中使用的特定 OAuth2 授权请求参数的默认验证器。默认实现会验证redirect_uri和scope参数。如果验证失败，则OAuth2AuthorizationCodeRequestAuthenticationException被抛出。spring-doc.cadn.net.cn

OAuth2AuthorizationCodeRequestAuthenticationProvider通过提供Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext>自setAuthenticationValidator().spring-doc.cadn.net.cn

OAuth2AuthorizationCodeRequestAuthenticationContext持有OAuth2AuthorizationCodeRequestAuthenticationToken，其中包含 OAuth2 授权请求参数。

如果验证失败，身份验证验证器必须抛出OAuth2AuthorizationCodeRequestAuthenticationException.

在开发生命周期阶段，一个常见的用例是允许localhost在redirect_uri参数。spring-doc.cadn.net.cn

以下示例显示如何配置OAuth2AuthorizationCodeRequestAuthenticationProvider使用自定义身份验证验证器，允许localhost在redirect_uri参数：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.authorizationEndpoint(authorizationEndpoint ->
			authorizationEndpoint
				.authenticationProviders(configureAuthenticationValidator())
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2AuthorizationCodeRequestAuthenticationProvider) {
				Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> authenticationValidator =
					// Override default redirect_uri validator
					new CustomRedirectUriValidator()
						// Reuse default scope validator
						.andThen(OAuth2AuthorizationCodeRequestAuthenticationValidator.DEFAULT_SCOPE_VALIDATOR);

				((OAuth2AuthorizationCodeRequestAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomRedirectUriValidator implements Consumer<OAuth2AuthorizationCodeRequestAuthenticationContext> {

	@Override
	public void accept(OAuth2AuthorizationCodeRequestAuthenticationContext authenticationContext) {
		OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication =
			authenticationContext.getAuthentication();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		String requestedRedirectUri = authorizationCodeRequestAuthentication.getRedirectUri();

		// Use exact string matching when comparing client redirect URIs against pre-registered URIs
		if (!registeredClient.getRedirectUris().contains(requestedRedirectUri)) {
			OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST);
			throw new OAuth2AuthorizationCodeRequestAuthenticationException(error, null);
		}
	}
}

OAuth2 设备授权端点

OAuth2DeviceAuthorizationEndpointConfigurer提供自定义 OAuth2 设备授权端点的功能。它定义了扩展点，允许您自定义 OAuth2 设备授权请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2DeviceAuthorizationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.deviceAuthorizationEndpoint(deviceAuthorizationEndpoint ->
			deviceAuthorizationEndpoint
				.deviceAuthorizationRequestConverter(deviceAuthorizationRequestConverter) (1)
				.deviceAuthorizationRequestConverters(deviceAuthorizationRequestConvertersConsumer) (2)
				.authenticationProvider(authenticationProvider) (3)
				.authenticationProviders(authenticationProvidersConsumer) (4)
				.deviceAuthorizationResponseHandler(deviceAuthorizationResponseHandler) (5)
				.errorResponseHandler(errorResponseHandler) (6)
				.verificationUri("/oauth2/v1/device_verification") (7)
		);

	return http.build();
}

1	`deviceAuthorizationRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 设备授权请求时使用`HttpServletRequest`添加到`OAuth2DeviceAuthorizationRequestAuthenticationToken`.
2	`deviceAuthorizationRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2DeviceAuthorizationRequestAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`deviceAuthorizationResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OAuth2DeviceAuthorizationRequestAuthenticationToken`并返回 OAuth2DeviceAuthorizationResponse。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 OAuth2Error 响应。
7	`verificationUri()`：这`URI`将资源所有者定向到辅助设备上。

OAuth2DeviceAuthorizationEndpointConfigurer配置OAuth2DeviceAuthorizationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2DeviceAuthorizationEndpointFilter是Filter处理 OAuth2 设备授权请求。spring-doc.cadn.net.cn

OAuth2DeviceAuthorizationEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个OAuth2DeviceAuthorizationRequestAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2DeviceAuthorizationRequestAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2DeviceAuthorizationRequestAuthenticationToken并返回OAuth2DeviceAuthorizationResponse.spring-doc.cadn.net.cn
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 设备验证端点

OAuth2DeviceVerificationEndpointConfigurer提供自定义 OAuth2 设备验证端点（或“用户交互”）的功能。它定义了扩展点，允许您自定义 OAuth2 设备验证请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2DeviceVerificationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.deviceVerificationEndpoint(deviceVerificationEndpoint ->
			deviceVerificationEndpoint
				.deviceVerificationRequestConverter(deviceVerificationRequestConverter) (1)
				.deviceVerificationRequestConverters(deviceVerificationRequestConvertersConsumer) (2)
				.authenticationProvider(authenticationProvider) (3)
				.authenticationProviders(authenticationProvidersConsumer) (4)
				.deviceVerificationResponseHandler(deviceVerificationResponseHandler) (5)
				.errorResponseHandler(errorResponseHandler) (6)
				.consentPage("/oauth2/v1/consent") (7)
		);

	return http.build();
}

1	`deviceVerificationRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 设备验证请求（或同意）时使用`HttpServletRequest`添加到`OAuth2DeviceVerificationAuthenticationToken`或`OAuth2DeviceAuthorizationConsentAuthenticationToken`.
2	`deviceVerificationRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2DeviceVerificationAuthenticationToken`或`OAuth2DeviceAuthorizationConsentAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`deviceVerificationResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OAuth2DeviceVerificationAuthenticationToken`并指示资源所有者返回到其设备。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回错误响应。
7	`consentPage()`：这`URI`，将资源所有者重定向到在设备验证请求流程中是否需要同意。

OAuth2DeviceVerificationEndpointConfigurer配置OAuth2DeviceVerificationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2DeviceVerificationEndpointFilter是Filter处理 OAuth2 设备验证请求（和同意）。spring-doc.cadn.net.cn

OAuth2DeviceVerificationEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个DelegatingAuthenticationConverter组成OAuth2DeviceVerificationAuthenticationConverter和OAuth2DeviceAuthorizationConsentAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2DeviceVerificationAuthenticationProvider和OAuth2DeviceAuthorizationConsentAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 一个SimpleUrlAuthenticationSuccessHandler处理 “authenticated”OAuth2DeviceVerificationAuthenticationToken并将用户重定向到成功页面（/?success).spring-doc.cadn.net.cn
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

OAuth2 令牌端点

OAuth2TokenEndpointConfigurer提供自定义 OAuth2 令牌端点的功能。它定义了扩展点，允许您自定义 OAuth2 访问令牌请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.tokenEndpoint(tokenEndpoint ->
			tokenEndpoint
				.accessTokenRequestConverter(accessTokenRequestConverter)   (1)
				.accessTokenRequestConverters(accessTokenRequestConvertersConsumer) (2)
				.authenticationProvider(authenticationProvider) (3)
				.authenticationProviders(authenticationProvidersConsumer)   (4)
				.accessTokenResponseHandler(accessTokenResponseHandler) (5)
				.errorResponseHandler(errorResponseHandler) (6)
		);

	return http.build();
}

1	`accessTokenRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 访问令牌请求时使用`HttpServletRequest`添加到`OAuth2AuthorizationGrantAuthenticationToken`.
2	`accessTokenRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2AuthorizationGrantAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`accessTokenResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理`OAuth2AccessTokenAuthenticationToken`并返回`OAuth2AccessTokenResponse`.
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 OAuth2Error 响应。

OAuth2TokenEndpointConfigurer配置OAuth2TokenEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenEndpointFilter是Filter处理 OAuth2 访问令牌请求。spring-doc.cadn.net.cn

支持的授权授权类型包括authorization_code,refresh_token,client_credentials,urn:ietf:params:oauth:grant-type:device_code和urn:ietf:params:oauth:grant-type:token-exchange.spring-doc.cadn.net.cn

OAuth2TokenEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个DelegatingAuthenticationConverter组成OAuth2AuthorizationCodeAuthenticationConverter,OAuth2RefreshTokenAuthenticationConverter,OAuth2ClientCredentialsAuthenticationConverter,OAuth2DeviceCodeAuthenticationConverter和OAuth2TokenExchangeAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2AuthorizationCodeAuthenticationProvider,OAuth2RefreshTokenAuthenticationProvider,OAuth2ClientCredentialsAuthenticationProvider,OAuth2DeviceCodeAuthenticationProvider和OAuth2TokenExchangeAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 一个OAuth2AccessTokenResponseAuthenticationSuccessHandler.spring-doc.cadn.net.cn
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

自定义客户端身份凭证授权请求验证

OAuth2ClientCredentialsAuthenticationValidator是用于验证特定 OAuth2 客户端凭证授予请求参数的默认验证器。默认实现会验证scope参数。如果验证失败，则OAuth2AuthenticationException被抛出。spring-doc.cadn.net.cn

OAuth2ClientCredentialsAuthenticationProvider通过提供 type 为Consumer<OAuth2ClientCredentialsAuthenticationContext>自setAuthenticationValidator().spring-doc.cadn.net.cn

OAuth2ClientCredentialsAuthenticationContext持有OAuth2ClientCredentialsAuthenticationToken，其中包含 OAuth2 客户端凭证授予请求参数。

如果验证失败，身份验证验证器必须抛出OAuth2AuthenticationException.

以下示例显示如何配置OAuth2ClientCredentialsAuthenticationProvider替换为覆盖默认scope验证：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.tokenEndpoint(tokenEndpoint ->
			tokenEndpoint
				.authenticationProviders(configureAuthenticationValidator())
		);

	return http.build();
}

private Consumer<List<AuthenticationProvider>> configureAuthenticationValidator() {
	return (authenticationProviders) ->
		authenticationProviders.forEach((authenticationProvider) -> {
			if (authenticationProvider instanceof OAuth2ClientCredentialsAuthenticationProvider) {
				Consumer<OAuth2ClientCredentialsAuthenticationContext> authenticationValidator =
					new CustomScopeValidator();

				// Override default scope validation
				((OAuth2ClientCredentialsAuthenticationProvider) authenticationProvider)
					.setAuthenticationValidator(authenticationValidator);
			}
		});
}

static class CustomScopeValidator implements Consumer<OAuth2ClientCredentialsAuthenticationContext> {

	@Override
	public void accept(OAuth2ClientCredentialsAuthenticationContext authenticationContext) {
		OAuth2ClientCredentialsAuthenticationToken clientCredentialsAuthentication =
			authenticationContext.getAuthentication();

		Set<String> requestedScopes = clientCredentialsAuthentication.getScopes();
		RegisteredClient registeredClient = authenticationContext.getRegisteredClient();
		Set<String> allowedScopes = registeredClient.getScopes();

        // TODO Implement scope validation

	}
}

OAuth2 令牌自省端点

OAuth2TokenIntrospectionEndpointConfigurer提供自定义 OAuth2 令牌自检端点的功能。它定义了扩展点，允许您自定义 OAuth2 自省请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenIntrospectionEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.tokenIntrospectionEndpoint(tokenIntrospectionEndpoint ->
			tokenIntrospectionEndpoint
				.introspectionRequestConverter(introspectionRequestConverter)   (1)
				.introspectionRequestConverters(introspectionRequestConvertersConsumer) (2)
				.authenticationProvider(authenticationProvider) (3)
				.authenticationProviders(authenticationProvidersConsumer)   (4)
				.introspectionResponseHandler(introspectionResponseHandler) (5)
				.errorResponseHandler(errorResponseHandler) (6)
		);

	return http.build();
}

1	`introspectionRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 内省请求时使用`HttpServletRequest`添加到`OAuth2TokenIntrospectionAuthenticationToken`.
2	`introspectionRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2TokenIntrospectionAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`introspectionResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OAuth2TokenIntrospectionAuthenticationToken`并返回 OAuth2TokenIntrospection 响应。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 OAuth2Error 响应。

OAuth2TokenIntrospectionEndpointConfigurer配置OAuth2TokenIntrospectionEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenIntrospectionEndpointFilter是Filter处理 OAuth2 自省请求。spring-doc.cadn.net.cn

OAuth2TokenIntrospectionEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个OAuth2TokenIntrospectionAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2TokenIntrospectionAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2TokenIntrospectionAuthenticationToken并返回OAuth2TokenIntrospection响应。spring-doc.cadn.net.cn
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 令牌吊销端点

OAuth2TokenRevocationEndpointConfigurer提供自定义 OAuth2 令牌吊销端点的功能。它定义了扩展点，允许您自定义 OAuth2 吊销请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OAuth2TokenRevocationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.tokenRevocationEndpoint(tokenRevocationEndpoint ->
			tokenRevocationEndpoint
				.revocationRequestConverter(revocationRequestConverter) (1)
				.revocationRequestConverters(revocationRequestConvertersConsumer)   (2)
				.authenticationProvider(authenticationProvider) (3)
				.authenticationProviders(authenticationProvidersConsumer)   (4)
				.revocationResponseHandler(revocationResponseHandler)   (5)
				.errorResponseHandler(errorResponseHandler) (6)
		);

	return http.build();
}

1	`revocationRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 OAuth2 吊销请求时使用`HttpServletRequest`添加到`OAuth2TokenRevocationAuthenticationToken`.
2	`revocationRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OAuth2TokenRevocationAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`revocationResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OAuth2TokenRevocationAuthenticationToken`并返回 OAuth2 吊销响应。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 OAuth2Error 响应。

OAuth2TokenRevocationEndpointConfigurer配置OAuth2TokenRevocationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2TokenRevocationEndpointFilter是Filter处理 OAuth2 吊销请求。spring-doc.cadn.net.cn

OAuth2TokenRevocationEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个OAuth2TokenRevocationAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OAuth2TokenRevocationAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OAuth2TokenRevocationAuthenticationToken并返回 OAuth2 吊销响应。spring-doc.cadn.net.cn
AuthenticationFailureHandler— 一个OAuth2ErrorAuthenticationFailureHandler.spring-doc.cadn.net.cn

OAuth2 授权服务器元数据端点

OAuth2AuthorizationServerMetadataEndpointConfigurer提供自定义 OAuth2 授权服务器元数据端点的功能。它定义了一个扩展点，允许您自定义 OAuth2 Authorization Server 元数据响应。spring-doc.cadn.net.cn

OAuth2AuthorizationServerMetadataEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.authorizationServerMetadataEndpoint(authorizationServerMetadataEndpoint ->
			authorizationServerMetadataEndpoint
				.authorizationServerMetadataCustomizer(authorizationServerMetadataCustomizer));   (1)

	return http.build();
}

1	`authorizationServerMetadataCustomizer()`：这`Consumer`提供对`OAuth2AuthorizationServerMetadata.Builder`允许自定义 Authorization Server 配置的声明。

OAuth2AuthorizationServerMetadataEndpointConfigurer配置OAuth2AuthorizationServerMetadataEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OAuth2AuthorizationServerMetadataEndpointFilter是Filter返回 OAuth2AuthorizationServerMetadata 响应。spring-doc.cadn.net.cn

JWK 设置端点

OAuth2AuthorizationServerConfigurer提供对 JWK Set 端点的支持。spring-doc.cadn.net.cn

OAuth2AuthorizationServerConfigurer配置NimbusJwkSetEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.NimbusJwkSetEndpointFilter是Filter，这将返回 JWK 集。spring-doc.cadn.net.cn

仅当 JWK Set 的JWKSource<SecurityContext> @Bean已注册。

OpenID Connect 1.0 提供者配置终端节点

OidcProviderConfigurationEndpointConfigurer提供自定义 OpenID Connect 1.0 提供程序配置终端节点的功能。它定义了一个扩展点，允许您自定义 OpenID Provider Configuration 响应。spring-doc.cadn.net.cn

OidcProviderConfigurationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.oidc(oidc ->
			oidc
				.providerConfigurationEndpoint(providerConfigurationEndpoint ->
					providerConfigurationEndpoint
						.providerConfigurationCustomizer(providerConfigurationCustomizer)   (1)
				)
		);

	return http.build();
}

1	`providerConfigurationCustomizer()`：这`Consumer`提供对`OidcProviderConfiguration.Builder`允许自定义 OpenID Provider 配置的声明。

OidcProviderConfigurationEndpointConfigurer配置OidcProviderConfigurationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcProviderConfigurationEndpointFilter是Filter，这将返回 OidcProviderConfiguration 响应。spring-doc.cadn.net.cn

OpenID Connect 1.0 注销端点

OidcLogoutEndpointConfigurer提供自定义 OpenID Connect 1.0 注销终端节点的功能。它定义了扩展点，允许您自定义 RP 发起的注销请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcLogoutEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.oidc(oidc ->
			oidc
				.logoutEndpoint(logoutEndpoint ->
					logoutEndpoint
						.logoutRequestConverter(logoutRequestConverter) (1)
						.logoutRequestConverters(logoutRequestConvertersConsumer)   (2)
						.authenticationProvider(authenticationProvider) (3)
						.authenticationProviders(authenticationProvidersConsumer)   (4)
						.logoutResponseHandler(logoutResponseHandler)   (5)
						.errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}

1	`logoutRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取注销请求时使用`HttpServletRequest`添加到`OidcLogoutAuthenticationToken`.
2	`logoutRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OidcLogoutAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`logoutResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OidcLogoutAuthenticationToken`并执行注销。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回错误响应。

OidcLogoutEndpointConfigurer配置OidcLogoutEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcLogoutEndpointFilter是Filter处理 RP 发起的注销请求并执行最终用户的注销。spring-doc.cadn.net.cn

OidcLogoutEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个OidcLogoutAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OidcLogoutAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OidcLogoutAuthenticationToken并执行注销。spring-doc.cadn.net.cn
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

OidcLogoutAuthenticationProvider使用SessionRegistry要查找SessionInformation实例。

OidcClientInitiatedLogoutSuccessHandler是 Spring Security 的 OAuth2 客户端支持中用于配置 OpenID Connect 1.0 RP 发起的注销的相应配置。

OpenID Connect 1.0 UserInfo 端点

OidcUserInfoEndpointConfigurer提供自定义 OpenID Connect 1.0 UserInfo 终端节点的功能。它定义了扩展点，允许您自定义 UserInfo 请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcUserInfoEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.oidc(oidc ->
			oidc
				.userInfoEndpoint(userInfoEndpoint ->
					userInfoEndpoint
						.userInfoRequestConverter(userInfoRequestConverter) (1)
						.userInfoRequestConverters(userInfoRequestConvertersConsumer) (2)
						.authenticationProvider(authenticationProvider) (3)
						.authenticationProviders(authenticationProvidersConsumer) (4)
						.userInfoResponseHandler(userInfoResponseHandler) (5)
						.errorResponseHandler(errorResponseHandler) (6)
						.userInfoMapper(userInfoMapper) (7)
				)
		);

	return http.build();
}

1	`userInfoRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取 UserInfo 请求时使用`HttpServletRequest`添加到`OidcUserInfoAuthenticationToken`.
2	`userInfoRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OidcUserInfoAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`userInfoResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OidcUserInfoAuthenticationToken`并返回 UserInfo 响应。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 UserInfo Error 响应。
7	`userInfoMapper()`：这`Function`用于从`OidcUserInfoAuthenticationContext`添加到`OidcUserInfo`.

OidcUserInfoEndpointConfigurer配置OidcUserInfoEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcUserInfoEndpointFilter是Filter处理 UserInfo 请求并返回 OidcUserInfo 响应。spring-doc.cadn.net.cn

OidcUserInfoEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个内部实现，用于获取Authentication从SecurityContext并创建一个OidcUserInfoAuthenticationToken与校长。spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OidcUserInfoAuthenticationProvider，它与userInfoMapper它根据授权期间请求的范围从 ID 令牌中提取标准声明。spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OidcUserInfoAuthenticationToken并返回OidcUserInfo响应。spring-doc.cadn.net.cn
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

您可以通过提供OAuth2TokenCustomizer<JwtEncodingContext> @Bean.

OpenID Connect 1.0 UserInfo 终端节点是受 OAuth2 保护的资源，它要求在 UserInfo 请求中将访问令牌作为持有者令牌发送。以下示例显示如何启用 OAuth2 资源服务器配置：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	...

	http.oauth2ResourceServer(resourceServer -> resourceServer.jwt(Customizer.withDefaults()));

	return http.build();
}

@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
	return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}

一个JwtDecoder @Bean对于 OpenID Connect 1.0 UserInfo 终端节点是必需的。

指南作方法：自定义 OpenID Connect 1.0 UserInfo 响应包含自定义 UserInfo 端点的示例。

OpenID Connect 1.0 客户端注册终端节点

OidcClientRegistrationEndpointConfigurer提供自定义 OpenID Connect 1.0 客户端注册终端节点的功能。它定义了扩展点，允许您自定义客户端注册请求或客户端读取请求的预处理、主处理和后处理逻辑。spring-doc.cadn.net.cn

OidcClientRegistrationEndpointConfigurer提供以下配置选项：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	authorizationServerConfigurer
		.oidc(oidc ->
			oidc
				.clientRegistrationEndpoint(clientRegistrationEndpoint ->
					clientRegistrationEndpoint
						.clientRegistrationRequestConverter(clientRegistrationRequestConverter) (1)
						.clientRegistrationRequestConverters(clientRegistrationRequestConvertersConsumers) (2)
						.authenticationProvider(authenticationProvider) (3)
						.authenticationProviders(authenticationProvidersConsumer) (4)
						.clientRegistrationResponseHandler(clientRegistrationResponseHandler) (5)
						.errorResponseHandler(errorResponseHandler) (6)
				)
		);

	return http.build();
}

1	`clientRegistrationRequestConverter()`：添加`AuthenticationConverter` (预处理器）尝试从中提取客户端注册请求或客户端读取请求时使用`HttpServletRequest`添加到`OidcClientRegistrationAuthenticationToken`.
2	`clientRegistrationRequestConverters()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationConverter`允许添加、删除或自定义特定`AuthenticationConverter`.
3	`authenticationProvider()`：添加`AuthenticationProvider` (主处理器）用于验证`OidcClientRegistrationAuthenticationToken`.
4	`authenticationProviders()`：设置`Consumer`提供对`List`of default 和（可选） added`AuthenticationProvider`允许添加、删除或自定义特定`AuthenticationProvider`.
5	`clientRegistrationResponseHandler()`：这`AuthenticationSuccessHandler` (后处理器）用于处理 “authenticated”`OidcClientRegistrationAuthenticationToken`并返回 Client Registration 响应或 Client Read 响应。
6	`errorResponseHandler()`：这`AuthenticationFailureHandler` (后处理器）用于处理`OAuth2AuthenticationException`并返回 Client Registration Error 响应或 Client Read Error 响应。

默认情况下，OpenID Connect 1.0 客户端注册终端节点处于禁用状态，因为许多部署不需要动态客户端注册。

OidcClientRegistrationEndpointConfigurer配置OidcClientRegistrationEndpointFilter并将其注册到 OAuth2 授权服务器SecurityFilterChain @Bean.OidcClientRegistrationEndpointFilter是Filter处理客户端注册请求并返回 OidcClientRegistration 响应。spring-doc.cadn.net.cn

OidcClientRegistrationEndpointFilter还会处理 Client Read 请求并返回 OidcClientRegistration 响应。

OidcClientRegistrationEndpointFilter配置了以下默认值：spring-doc.cadn.net.cn

AuthenticationConverter— 一个OidcClientRegistrationAuthenticationConverter.spring-doc.cadn.net.cn
AuthenticationManager— 一个AuthenticationManager组成OidcClientRegistrationAuthenticationProvider和OidcClientConfigurationAuthenticationProvider.spring-doc.cadn.net.cn
AuthenticationSuccessHandler— 处理 “authenticated” 的内部实现OidcClientRegistrationAuthenticationToken并返回OidcClientRegistration响应。spring-doc.cadn.net.cn
AuthenticationFailureHandler— 使用OAuth2Error与OAuth2AuthenticationException并返回OAuth2Error响应。spring-doc.cadn.net.cn

OpenID Connect 1.0 客户端注册终端节点是受 OAuth2 保护的资源，它要求在客户端注册（或客户端读取）请求中将访问令牌作为持有者令牌发送。spring-doc.cadn.net.cn

客户端注册请求中的访问令牌需要 OAuth2 范围client.create.

客户端读取请求中的访问令牌需要 OAuth2 范围client.read.

以下示例显示如何启用 OAuth2 资源服务器配置：spring-doc.cadn.net.cn

@Bean
public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
	OAuth2AuthorizationServerConfigurer authorizationServerConfigurer =
		new OAuth2AuthorizationServerConfigurer();
	http.apply(authorizationServerConfigurer);

	...

	http.oauth2ResourceServer(resourceServer -> resourceServer.jwt(Customizer.withDefaults()));

	return http.build();
}

@Bean
public JwtDecoder jwtDecoder(JWKSource<SecurityContext> jwkSource) {
	return OAuth2AuthorizationServerConfiguration.jwtDecoder(jwkSource);
}

一个JwtDecoder @Bean对于 OpenID Connect 1.0 客户端注册终端节点是必需的。