Search code examples
spring-bootspring-securityoauth-2.0spring-security-oauth2

Does Spring Security OAuth2 support Authorization Code Flow with PKCE for browser (Angular) clients?

Browser applications auth used to be managed using the Implicit grant of the Authorization Server. I successfully implemented this using Spring Security Oauth.

This approach has several drawbacks:

  1. Refresh tokens are not supported, so when the token expires we need to reauthenticate with the Authorization server.
  2. This grant is not recommended due to its security concerns (see https://oauth.net/2/grant-types/implicit/ and https://datatracker.ietf.org/doc/html/draft-parecki-oauth-browser-based-apps-01).

Currently the recommended option is using Authorization code flow with PKCE for browser applications.

How could this be implemented in a Spring Boot Authorization Server with spring boot oauth?

Solution

  • No, it does not yet support PKCE, though there is a ticket for it.

    Note also that Spring Security's OAuth support is in a bit of a transition phase right now while it is migrated into Spring Security proper. Feel free to follow this feature matrix to see where progress is at.

    UPDATE: Spring Authorization Server now supports this feature.