configured to point at this authorization server for verification.
From here, you can jump to:
• How to Switch Off OAuth2 Boot’s Auto Configuration
• How to Make Authorization Code Grant Flow Work
• How to Make Password Grant Flow Work
• How and When to Give Authorization Server an AuthenticationManager
• Is Authorization Server Compatible with Spring Security 5.1 Resource Server and Client?
• How to Configure for Jwt Tokens
1.4. How to Switch Off OAuth2 Boot’s Auto
Configuration
Basically, the OAuth2 Boot project creates an instance of AuthorizationServerConfigurer with some
reasonable defaults:
• It registers a NoOpPasswordEncoder (overriding the Spring Security default)
• It lets the client you provided use any grant type this server supports: authorization_code,
password, client_credentials, implicit, or refresh_token.
Otherwise, it also tries to pick up a handful of beans, if they are defined — namely:
• AuthenticationManager: For looking up end users (not clients)
• TokenStore: For generating and retrieving tokens
• AccessTokenConverter: For converting access tokens into different formats, such as JWT.
While this documentation covers a bit of what each of these beans does, the Spring
Security OAuth documentation is a better place to read up on its primitives
If you expose a bean of type AuthorizationServerConfigurer, none of this is done automatically.
So, for example, if you need to configure more than one client, change their allowed grant types, or
use something better than the no-op password encoder (highly recommended!), then you want to
expose your own AuthorizationServerConfigurer, as the following example shows:
4
