Spring-security-oauth2-authorization-server0.4.0 and springboot2.6.14 compatibility issues

[Lvbuqing]

I use springboot2.6.14 to dock spring-security-oauth2-authorization-server0.4.0.

I use this interface to apply for a token: http://oauth2-server.com:9000/oauth2/token?grant_type=client_credentials

Use the pre-set interface of the request: http://oauth2-resource.com:8001/res2

The result is that the request fails and will be executed to AccessDeniedHandler，access denied.

But I use spring-security-oauth2-authorization-server0.2.3, then the request is OK.

I checked because 0.2.3 uses spring-security-oauth2-resource-server5.8.0, and springboot2.6.14 uses spring-security-oauth2-resource-server5.6.9

My authorization-server configuration is:

private RegisteredClient createRegisteredClient(final String clientId) {
TokenSettings tokenSettings = TokenSettings.builder()
.accessTokenTimeToLive(Duration.ofDays(365))
//.reuseRefreshTokens(false)
.build();
ClientSettings clientSettings = ClientSettings.builder()
.requireAuthorizationConsent(false)
.build();
return RegisteredClient
.withId(UUID.randomUUID().toString())
.clientId("micro_service")
.clientSecret(PasswordEncoderFactories.createDelegatingPasswordEncoder().encode("123456"))
.clientName("micro_service")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.redirectUri("http://127.0.0.1:8001")
.redirectUri("http://127.0.0.1:8002")
.scope("all")
.tokenSettings(tokenSettings)
.clientSettings(clientSettings)
.build();
}

My resource-server configuration is:

@bean
SecurityFilterChain jwtSecurityFilterChain(HttpSecurity http) throws Exception {
SimpleAccessDeniedHandler accessDeniedHandler = new SimpleAccessDeniedHandler();
SimpleAuthenticationEntryPoint authenticationEntryPoint = new SimpleAuthenticationEntryPoint();

    return http
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
            .authorizeRequests()
            .antMatchers("/res1").hasAnyAuthority("SCOPE_read","SCOPE_all")
            .antMatchers("/res2").hasAnyAuthority("SCOPE_write","SCOPE_all")
            .anyRequest().authenticated()
         .and()
            .exceptionHandling(exceptionConfigurer -> exceptionConfigurer
                    .accessDeniedHandler(accessDeniedHandler)
                    .authenticationEntryPoint(authenticationEntryPoint)
            )
            .oauth2ResourceServer(resourceServer -> resourceServer
                    .accessDeniedHandler(accessDeniedHandler)
                    .authenticationEntryPoint(authenticationEntryPoint)
                    .jwt()
            )
            .build();
}

Why does the GA version of springboot2.6.14 not provide the corresponding authorization-server GA version.

I hope that each GA version of springboot has a corresponding GA version of authorization-server,
Now authorization-server is an independent application, separated from springcloud,
I believe that now everyone basically uses springboot for web development, and the development version of authorization-server should correspond to springboot

I can't adapt the 0.4.0-GA version of authorization-server through the GA version of springboot2.6.14

I also want to ask, which springboot version does the 0.4.0 version of authorization-server correspond to?
Which springboot version does the 1.0.0 version of authorization-server correspond to?

[jgrandja]

@Lvbuqing The 0.4.0 release is compatible with Spring Boot 2.7.5, as indicated by the default-authorizationserver sample. Please use Spring Boot 2.7.5+.

NOTE: The 1.0.0 release is compatible with Spring Boot 3.0.0+.

Why does the GA version of springboot2.6.14 not provide the corresponding authorization-server GA version.

There currently is no Spring Authorization Server integration with Spring Boot. However, this is in the works via gh-673. We're targeting Spring Boot 3.1 to include auto-config and custom properties for Spring Authorization Server.