Broadleaf Microservices
  • v1.0.0-latest-prod

Authorization Server Configuration

This applies to AuthenticationServices version 2.0

SpringAuthorizationServerComponentsConfiguration Overview

AuthenticationServices depends on and configures Spring Authorization Server for authorizing requests and issuing OAuth2 access tokens. The autoconfiguration class SecurityAutoConfiguration is the starting point for web security configuration in AuthenticationServices. The inner class SecurityAutoConfiguration.SpringAuthorizationServerSecurityConfiguration imports the configuration SpringAuthorizationServerComponentsConfiguration, which is responsible for configuring the beans and SecurityFilterChain for the authorization endpoints. The authorization endpoints are the endpoints used for the OAuth2 grants, such as /authorize and /token.

SpringAuthorizationServerComponentsConfiguration is responsible for configuring a number of things for authorization:

  • Initializing the SecurityFilterChain for the authorization server endpoints

  • Initializing beans for authorization persistence

  • Initializing Customizer beans

  • Initializing authentication converters for each supported grant type

Authorization Server Security Filter Chain

The authorizationServerSecurityFilterChain bean method configures a SecurityFilterChain for the OAuth2 endpoints. While the bean method does apply some configurations directly, it also applies a number of other customizers and configurers, such as:

  • OAuth2AuthorizationServerConfigurer

  • EarlyAuthorizationServerSecurityChainCustomizer and LateAuthorizationServerSecurityChainCustomizer

  • AuthorizationServerTokenGeneratorConfigurationCustomizer

  • AuthorizationServerAuthenticationFilterConfigurationCustomizer

  • OAuth2AuthorizationServerConfigurerCustomizer

Using these customizers to add custom logic is discussed below in Customizations and Overrides.


This is Spring Authorization Server’s configurer, It is essentially a container for more specific configurers. A variety of classes, from both Spring and Broadleaf, rely on this configurer. We customize and define this bean in SpringAuthorizationServerComponentsConfiguration.

Security Chain Customizers

Broadleaf introduced "Authorization Server Security Chain Customizers" to allow client projects to customize the authorization security chain without having to override the entire authorizationServerSecurityFilterChain bean. These customizers accept the HttpSecurity object being configured. There are 2 types available:

  • EarlyAuthorizationServerSecurityChainCustomizer

  • LateAuthorizationServerSecurityChainCustomizer

As the names suggest, the early customizers run before the framework configures the HttpSecurity, and the late customizers run after the framework has applied all of its configurations. All beans of these types will be executed.


This customizer uses the AdvancedOAuth2RefreshTokenConfigurerUtils to customize the token generator used when issuing access or refresh tokens.


This customizer adds the session authentication filter to the filter chain.


This customizer applies our specialized beans and configurations to the OAuth2AuthorizationServerConfigurer. There are specific configurations for authorizationEndpoint, tokenEndpoint, and clientAuthentication. These configurations affect which beans are injected into the corresponding security filters for the authorization grants.

In general, we provide a customized AuthenticationConverter and AuthenticationProvider for each OAuth2 grant type that we support. These are located in package The OAuth2 flows for which we provide overrides are:

  • Authorization Code Request (authorizationEndpoint)

  • Authorization Code (tokenEndpoint)

  • Client Credentials (tokenEndpoint)

  • Refresh Token (tokenEndpoint)

  • Client Authentication (clientAuthentication)

Customizations and Overrides

The SpringAuthorizationServerComponentsConfiguration, authorizationServerSecurityFilterChain, and associated Customizers have been intentionally crafted to enable easily customizing specific parts of the configuration without having to copy & paste the entire authorizationServerSecurityFilterChain method. There are a few different techniques that you could use to customize authorization.

Bean Overrides

Most of the components used during authorization are beans, and therefore, bean overrides can be used to substitute customized objects as needed. Simply declare a new @Bean method in your project configuration with the same name and type as the framework bean you would like to override. See Extensibility Documentation for more info.


The authorizationServerSecurityFilterChain method utilizes a number of Customizers to apply various configurations. They are listed in these javadocs and these javadocs.

The EarlyAuthorizationServerSecurityChainCustomizer and LateAuthorizationServerSecurityChainCustomizer beans are collected into a List and executed. To add new functionality, simply register a new bean of the appropriate type (early or late) and it will be applied.

The rest of the customizers are singletons. To add new functionality, extend the customizer in your project and register it as a bean, just like normal Bean Overrides.

Authentication Providers

The AuthenticationProviders used during the OAuth2 flows are some of the only components that are not beans. Therefore, a bean override cannot be used to replace a framework AuthenticationProvider. To use a different AuthenticationProvider, extend OAuth2AuthorizationServerConfigurerCustomizer via a Bean Override and override the factory methods (e.g. getAuthCodeAuthProvider(…​), getRefreshTokenAuthProvider(…​), etc.) to return your custom AuthenticationProvider.