Adding the password grant type to Spring Authorization Server

security   api gateway  

From time to time, I’ve created sample applications that included an API Gateway that authenticates client requests and passes to the backend services a JWT containing the client’s identity and roles. The big picture is as follows:

First, I’ll describe the request flow and then I’ll explain how I enhanced the Spring Authorization Server.

Using a security server

To avoid reinventing the wheel, the applications use an off-the-shelf security service that’s responsible for:

  • Authenticating client credentials
  • Issuing a JWT, which is signed with a private key
  • Providing access to the corresponding public key that a backend service uses to validate the JWT

The flow is as follows:

  1. The API Gateway authenticates the client’s credentials (username/password aka API key/secret)
  2. The API Gateway invokes a backend service with a (REST) requests, which includes a JWT, which contains the client’s identity and roles.
  3. The backend service validates the JWT
  4. The backend service authorizes the client to access the requested resource.

Using Spring Authorization Server

In the past, I’ve used Keycloak as the security service. The API gateway used an OAuth password grant type to authenticate the client’s credentials with Keycloak and obtain a JWT. The backend services obtained the public key from Keycloak via its JWKS endpoint.

But for a recent project, I decided to use Spring Authorization Server. However, I ran into a problem: Spring Authorization Server doesn’t support the password grant type. That’s because the password grant type is removed from the OAuth 2.1 specification. It’s considered insecure because requires the application to handle the human user’s credentials, which defeats the purpose of OAuth.

Adding password grant type to Spring Authorization Server

While password grant is insecure for human users, it still seemed a good fit my API gateway scenario. After all, the API Gateway is part of the application that issued the client’s credentials. Consequently, I decided to add the password grant type to Spring Authorization Server. A quick Google search discovered a code sample on StackOverflow that I was able to adapt to a new version of Spring Authorization Server.

Here’s the code

You can find the code in this Github repository.

security   api gateway  

Copyright © 2024 Chris Richardson • All rights reserved • Supported by Kong.

About is brought to you by Chris Richardson. Experienced software architect, author of POJOs in Action, the creator of the original, and the author of Microservices patterns.

New workshop: Architecting for fast, sustainable flow

Enabling DevOps and Team Topologies thru architecture

DevOps and Team topologies are vital for delivering the fast flow of changes that modern businesses need.

But they are insufficient. You also need an application architecture that supports fast, sustainable flow.

Learn more and register for my June 2024 online workshops....


I help organizations improve agility and competitiveness through better software architecture.

Learn more about my consulting engagements, and training workshops.

LEARN about microservices

Chris offers numerous other resources for learning the microservice architecture.

Get the book: Microservices Patterns

Read Chris Richardson's book:

Example microservices applications

Want to see an example? Check out Chris Richardson's example applications. See code

Virtual bootcamp: Distributed data patterns in a microservice architecture

My virtual bootcamp, distributed data patterns in a microservice architecture, is now open for enrollment!

It covers the key distributed data management patterns including Saga, API Composition, and CQRS.

It consists of video lectures, code labs, and a weekly ask-me-anything video conference repeated in multiple timezones.

The regular price is $395/person but use coupon ILFJODYS to sign up for $95 (valid until April 12, 2024). There are deeper discounts for buying multiple seats.

Learn more

Learn how to create a service template and microservice chassis

Take a look at my Manning LiveProject that teaches you how to develop a service template and microservice chassis.

Signup for the newsletter

BUILD microservices

Ready to start using the microservice architecture?

Consulting services

Engage Chris to create a microservices adoption roadmap and help you define your microservice architecture,

The Eventuate platform

Use the platform to tackle distributed data management challenges in your microservices architecture.

Eventuate is Chris's latest startup. It makes it easy to use the Saga pattern to manage transactions and the CQRS pattern to implement queries.

Join the microservices google group