Spring Boot 2 Authorization Server for public clients (PKCE)

Question

is possible create authorization server for PKCE authentication in current version of spring security?

I did research and I found out this authorization server project https://github.com/spring-projects-experimental/spring-authorization-server but there is no usable sample for that project.

I also find out that spring recommends Keycloak as authorization server, but it is not fit for my case. We need be able fetch and verify user against remote service, and then use authorization server only for generating and verifying jwt tokens. In my knowledge Keycloak should holds also users right? So the best solution would be custom spring standalone authorization server. Is it possible in some way? Thank you!

Answer 1

You may have a look to this project: CloudFoundry User Account and Authentication (UAA) Server. UAA is a (Spring MVC) component of Cloud Foundry but it could be used as a stand alone OAuth2 server. It can support external authentication service. And there is a Pull Request that implements PKCE: https://github.com/cloudfoundry/uaa/pull/939 (not yet merged, but under review).

You can find an example on how to use UAA on baeldung.com.

Answer 2

As far as I know, Spring framework has one more implementation of the authorization server. It is a part of spring-security-oauth project. But this project was moved into maintenance mode.

According to this migration guide, the new authorization server project (that you have already found) will be created to change the legacy solution.

From my point of view now there are several possible options:

1. Using old legacy spring-security-oauth. More examples with old auth server
2. Using external services like Keycloak, Auth0, Okta and etc