Spring's implementation of an OAuth 2.1 and OpenID Connect 1.0 authorization server. Provides issuing access tokens, refresh tokens, and ID tokens with support for PKCE, token introspection, and authorization server metadata.
openapi: 3.0.3
info:
title: Spring Authorization Server API
description: >-
Spring Authorization Server is a framework providing implementations of
OAuth 2.1 and OpenID Connect 1.0 specifications. It exposes standard
protocol endpoints for token issuance, token introspection, JWKS publication,
device authorization, and OpenID Connect session management.
version: 1.3.0
contact:
name: Spring Security Team
url: https://spring.io/projects/spring-authorization-server
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0
servers:
- url: http://localhost:9000
description: Default authorization server port
paths:
/oauth2/authorize:
get:
operationId: authorizationRequest
summary: OAuth2 Authorization Request
description: Initiates the OAuth 2.1 authorization code flow with PKCE
tags:
- Authorization
parameters:
- name: response_type
in: query
required: true
schema:
type: string
enum: [code]
- name: client_id
in: query
required: true
schema:
type: string
- name: redirect_uri
in: query
schema:
type: string
format: uri
- name: scope
in: query
schema:
type: string
- name: state
in: query
schema:
type: string
- name: code_challenge
in: query
schema:
type: string
- name: code_challenge_method
in: query
schema:
type: string
enum: [S256]
responses:
'302':
description: Redirect to login or consent
/oauth2/token:
post:
operationId: tokenRequest
summary: OAuth2 Token Request
description: Issues access tokens for all supported grant types
tags:
- Token
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
type: object
required:
- grant_type
properties:
grant_type:
type: string
enum:
- authorization_code
- refresh_token
- client_credentials
- urn:ietf:params:oauth:grant-type:device_code
- urn:ietf:params:oauth:grant-type:token-exchange
code:
type: string
redirect_uri:
type: string
code_verifier:
type: string
refresh_token:
type: string
scope:
type: string
client_id:
type: string
client_secret:
type: string
security:
- basicAuth: []
- {}
responses:
'200':
description: Token response
content:
application/json:
schema:
$ref: '#/components/schemas/TokenResponse'
'400':
description: Token error
content:
application/json:
schema:
$ref: '#/components/schemas/OAuthError'
/oauth2/introspect:
post:
operationId: tokenIntrospection
summary: Token Introspection
description: Validates tokens and returns active token metadata per RFC 7662
tags:
- Token
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
type: object
required:
- token
properties:
token:
type: string
token_type_hint:
type: string
security:
- basicAuth: []
responses:
'200':
description: Introspection response
content:
application/json:
schema:
$ref: '#/components/schemas/IntrospectionResponse'
/oauth2/revoke:
post:
operationId: tokenRevocation
summary: Token Revocation
description: Revokes access or refresh tokens per RFC 7009
tags:
- Token
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
type: object
required:
- token
properties:
token:
type: string
token_type_hint:
type: string
security:
- basicAuth: []
responses:
'200':
description: Token revoked
/oauth2/jwks:
get:
operationId: getJwks
summary: JSON Web Key Set
description: Returns public signing keys for JWT verification
tags:
- Keys
responses:
'200':
description: JWKS document
content:
application/json:
schema:
$ref: '#/components/schemas/JwksResponse'
/oauth2/device_authorization:
post:
operationId: deviceAuthorization
summary: Device Authorization Request
description: Initiates the OAuth 2.0 Device Authorization Grant per RFC 8628
tags:
- Device
requestBody:
required: true
content:
application/x-www-form-urlencoded:
schema:
type: object
properties:
client_id:
type: string
scope:
type: string
security:
- basicAuth: []
responses:
'200':
description: Device authorization response
content:
application/json:
schema:
$ref: '#/components/schemas/DeviceAuthorizationResponse'
/connect/register:
post:
operationId: registerClient
summary: Dynamic Client Registration
description: Registers a new OAuth2 client dynamically per RFC 7591
tags:
- Client Management
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ClientRegistrationRequest'
responses:
'201':
description: Client registered
content:
application/json:
schema:
$ref: '#/components/schemas/ClientRegistrationResponse'
'400':
description: Invalid registration request
/userinfo:
get:
operationId: getUserInfo
summary: OpenID Connect UserInfo
description: Returns claims about the authenticated end-user
tags:
- OpenID Connect
security:
- bearerAuth: []
responses:
'200':
description: UserInfo claims
content:
application/json:
schema:
type: object
/.well-known/openid-configuration:
get:
operationId: getOidcDiscovery
summary: OpenID Connect Discovery
description: Returns authorization server OIDC metadata
tags:
- Discovery
responses:
'200':
description: OIDC configuration
content:
application/json:
schema:
type: object
/.well-known/oauth-authorization-server:
get:
operationId: getOAuthMetadata
summary: OAuth2 Server Metadata
description: Returns RFC 8414 authorization server metadata
tags:
- Discovery
responses:
'200':
description: Server metadata
content:
application/json:
schema:
type: object
/connect/logout:
get:
operationId: oidcLogout
summary: OpenID Connect Session Logout
description: Initiates OIDC RP-initiated logout
tags:
- OpenID Connect
parameters:
- name: id_token_hint
in: query
schema:
type: string
- name: post_logout_redirect_uri
in: query
schema:
type: string
- name: state
in: query
schema:
type: string
responses:
'302':
description: Redirect after logout
components:
securitySchemes:
basicAuth:
type: http
scheme: basic
bearerAuth:
type: http
scheme: bearer
bearerFormat: JWT
schemas:
TokenResponse:
type: object
properties:
access_token:
type: string
token_type:
type: string
expires_in:
type: integer
refresh_token:
type: string
scope:
type: string
id_token:
type: string
OAuthError:
type: object
properties:
error:
type: string
error_description:
type: string
IntrospectionResponse:
type: object
properties:
active:
type: boolean
scope:
type: string
client_id:
type: string
username:
type: string
token_type:
type: string
exp:
type: integer
sub:
type: string
JwksResponse:
type: object
properties:
keys:
type: array
items:
type: object
DeviceAuthorizationResponse:
type: object
properties:
device_code:
type: string
user_code:
type: string
verification_uri:
type: string
verification_uri_complete:
type: string
expires_in:
type: integer
interval:
type: integer
ClientRegistrationRequest:
type: object
properties:
client_name:
type: string
redirect_uris:
type: array
items:
type: string
grant_types:
type: array
items:
type: string
response_types:
type: array
items:
type: string
scope:
type: string
token_endpoint_auth_method:
type: string
logo_uri:
type: string
ClientRegistrationResponse:
type: object
properties:
client_id:
type: string
client_secret:
type: string
client_name:
type: string
redirect_uris:
type: array
items:
type: string
grant_types:
type: array
items:
type: string
registration_access_token:
type: string
registration_client_uri:
type: string
tags:
- name: Authorization
- name: Client Management
- name: Device
- name: Discovery
- name: Keys
- name: OpenID Connect
- name: Token