I'm excited to share that the there will be support for the OAuth 2.0 Token Exchange Grant (RFC 8693) in Spring Security 6.3, which is available for preview now in the latest milestone (6.3.0-M3). This support provides the ability to use Token Exchange with OAuth2 Client. Similarly, server-side support is also shipping with Spring Authorization Server in 1.3 and is available for preview now in the latest milestone (1.3.0-M3). OAuth2 Client features of Spring Security allow us to easily make protected resources requests to an API secured with OAuth2 bearer tokens. Similarly, OAuth2 Resource Server features of Spring Security allow us to secure an API with OAuth2. Let's take a look at how we can use the new support to build OAuth2 flows with Token Exchange. An example Let's imagine we have a resource server called user-service providing an API to access user information. In order to make requests to user-service, clients must provide an access token. Let's assume tokens must have an audience (aud claim) of user-service. This might look like the following as Spring Boot configuration properties: spring: security: oauth2: resourceserver: jwt: issuer-uri: https://my-auth-server.com audiences: user-service Now let's imagine we want to introduce a new resource server called message-service and call it from user-service. Let's assume then that tokens for this new service must have an audience of message-service. Clearly we can't re-use the…Read More