Spring Authorization Server 0.2.2 is released, this version is mainly about optimizations and bug fixes, the more important new feature is Client authentication support for JWT assertions.

Release Notes

New features

  • JdbcOAuth2AuthorizationService now supports large database fields.
  • Deprecated OAuth2TokenIntrospectionClaimAccessor, will use Spring Security 5.6 implementation.
  • Deprecate JwtEncoder related classes and use Spring Security jose library implementation.
  • The token field in the JdbcOAuth2AuthorizationService now supports clob and text data types.
  • Token revocation logic is now customizable.
  • The userinfo_endpoint endpoint is now added to the authorization server metadata information.
  • Support for issuer that parses Token from the current request.
  • Client authentication now supports JWT assertion.

Bug fix

  • Missing state and rejecting consent in the initial request causes an exception.
  • Throwing invalid_grant when requesting an invalid token with PKCE #581.
  • The default configuration exceeds the Mysql row limit.
  • OAuth2ClientAuthenticationToken should not be saved across requests.

Dependency Upgrade

  • Upgrade to Jackson 2.12.6 #609
  • Upgrade to Spring Boot 2.5.9 #608
  • Upgrade to Reactor 2020.0.15 #607
  • Upgrade to Spring Security 5.5.4 #606
  • Upgrade to Spring Framework 5.3.15 #605
  • Upgrade to io.spring.ge.conventions 0.0.9 #578
  • Upgrade to gradle enterprise 3.8 to circumvent log4j vulnerability CVE-2021-45105