spring-projects · jetflo · Jul 31, 2025
diff --git a/...oot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java b/...oot/autoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerProperties.java
@@ -32,6 +32,7 @@
  * OAuth 2.0 Authorization Server properties.
  *
  * @author Steve Riesenberg
+ * @author Florian Lemaire
  * @since 3.1.0
  */
 @ConfigurationProperties("spring.security.oauth2.authorizationserver")
@@ -144,6 +145,11 @@ public static class Endpoint {
 		 */
 		private String tokenIntrospectionUri = "/oauth2/introspect";
 
+		/**
+		 * Authorization Server's OAuth 2.0 Pushed Authorization Request Endpoint.
+		 */
+		private String pushedAuthorizationRequestUri = "/oauth2/par";
+
 		/**
 		 * OpenID Connect 1.0 endpoints.
 		 */
@@ -206,6 +212,14 @@ public void setTokenIntrospectionUri(String tokenIntrospectionUri) {
 			this.tokenIntrospectionUri = tokenIntrospectionUri;
 		}
 
+		public String getPushedAuthorizationRequestUri() {
+			return this.pushedAuthorizationRequestUri;
+		}
+
+		public void setPushedAuthorizationRequestUri(String pushedAuthorizationRequestUri) {
+			this.pushedAuthorizationRequestUri = pushedAuthorizationRequestUri;
+		}
+
 		public OidcEndpoint getOidc() {
 			return this.oidc;
 		}

diff --git a/...toconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java b/...toconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapper.java
@@ -38,6 +38,7 @@
  * Maps {@link OAuth2AuthorizationServerProperties} to Authorization Server types.
  *
  * @author Steve Riesenberg
+ * @author Florian Lemaire
  */
 final class OAuth2AuthorizationServerPropertiesMapper {
 
@@ -61,6 +62,7 @@ AuthorizationServerSettings asAuthorizationServerSettings() {
 		map.from(endpoint::getJwkSetUri).to(builder::jwkSetEndpoint);
 		map.from(endpoint::getTokenRevocationUri).to(builder::tokenRevocationEndpoint);
 		map.from(endpoint::getTokenIntrospectionUri).to(builder::tokenIntrospectionEndpoint);
+		map.from(endpoint::getPushedAuthorizationRequestUri).to(builder::pushedAuthorizationRequestEndpoint);
 		map.from(oidc::getLogoutUri).to(builder::oidcLogoutEndpoint);
 		map.from(oidc::getClientRegistrationUri).to(builder::oidcClientRegistrationEndpoint);
 		map.from(oidc::getUserInfoUri).to(builder::oidcUserInfoEndpoint);

diff --git a/...igure/security/oauth2/server/servlet/OAuth2AuthorizationServerAutoConfigurationTests.java b/...igure/security/oauth2/server/servlet/OAuth2AuthorizationServerAutoConfigurationTests.java
@@ -41,6 +41,7 @@
  *
  * @author Steve Riesenberg
  * @author Madhura Bhave
+ * @author Florian Lemaire
  */
 class OAuth2AuthorizationServerAutoConfigurationTests {
 
@@ -133,6 +134,7 @@ void authorizationServerSettingsBeanShouldBeCreatedWhenPropertiesPresent() {
 					PROPERTIES_PREFIX + ".endpoint.token-uri=/token", PROPERTIES_PREFIX + ".endpoint.jwk-set-uri=/jwks",
 					PROPERTIES_PREFIX + ".endpoint.token-revocation-uri=/revoke",
 					PROPERTIES_PREFIX + ".endpoint.token-introspection-uri=/introspect",
+					PROPERTIES_PREFIX + ".endpoint.pushed-authorization-request-uri=/par",
 					PROPERTIES_PREFIX + ".endpoint.oidc.logout-uri=/logout",
 					PROPERTIES_PREFIX + ".endpoint.oidc.client-registration-uri=/register",
 					PROPERTIES_PREFIX + ".endpoint.oidc.user-info-uri=/user")
@@ -146,6 +148,7 @@ void authorizationServerSettingsBeanShouldBeCreatedWhenPropertiesPresent() {
 				assertThat(settings.getJwkSetEndpoint()).isEqualTo("/jwks");
 				assertThat(settings.getTokenRevocationEndpoint()).isEqualTo("/revoke");
 				assertThat(settings.getTokenIntrospectionEndpoint()).isEqualTo("/introspect");
+				assertThat(settings.getPushedAuthorizationRequestEndpoint()).isEqualTo("/par");
 				assertThat(settings.getOidcLogoutEndpoint()).isEqualTo("/logout");
 				assertThat(settings.getOidcClientRegistrationEndpoint()).isEqualTo("/register");
 				assertThat(settings.getOidcUserInfoEndpoint()).isEqualTo("/user");

diff --git a/...figure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapperTests.java b/...figure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesMapperTests.java
@@ -34,6 +34,7 @@
  * Tests for {@link OAuth2AuthorizationServerPropertiesMapper}.
  *
  * @author Steve Riesenberg
+ * @author Florian Lemaire
  */
 class OAuth2AuthorizationServerPropertiesMapperTests {
 
@@ -107,6 +108,7 @@ void getAuthorizationServerSettingsWhenValidParametersShouldAdapt() {
 		endpoints.setJwkSetUri("/jwks");
 		endpoints.setTokenRevocationUri("/revoke");
 		endpoints.setTokenIntrospectionUri("/introspect");
+		endpoints.setPushedAuthorizationRequestUri("/par");
 		OAuth2AuthorizationServerProperties.OidcEndpoint oidc = endpoints.getOidc();
 		oidc.setLogoutUri("/logout");
 		oidc.setClientRegistrationUri("/register");
@@ -121,6 +123,7 @@ void getAuthorizationServerSettingsWhenValidParametersShouldAdapt() {
 		assertThat(settings.getJwkSetEndpoint()).isEqualTo("/jwks");
 		assertThat(settings.getTokenRevocationEndpoint()).isEqualTo("/revoke");
 		assertThat(settings.getTokenIntrospectionEndpoint()).isEqualTo("/introspect");
+		assertThat(settings.getPushedAuthorizationRequestEndpoint()).isEqualTo("/par");
 		assertThat(settings.getOidcLogoutEndpoint()).isEqualTo("/logout");
 		assertThat(settings.getOidcClientRegistrationEndpoint()).isEqualTo("/register");
 		assertThat(settings.getOidcUserInfoEndpoint()).isEqualTo("/user");
@@ -137,6 +140,7 @@ void getAuthorizationServerSettingsWhenMultipleIssuersAllowedShouldAdapt() {
 		endpoints.setJwkSetUri("/jwks");
 		endpoints.setTokenRevocationUri("/revoke");
 		endpoints.setTokenIntrospectionUri("/introspect");
+		endpoints.setPushedAuthorizationRequestUri("/par");
 		OAuth2AuthorizationServerProperties.OidcEndpoint oidc = endpoints.getOidc();
 		oidc.setLogoutUri("/logout");
 		oidc.setClientRegistrationUri("/register");
@@ -151,6 +155,7 @@ void getAuthorizationServerSettingsWhenMultipleIssuersAllowedShouldAdapt() {
 		assertThat(settings.getJwkSetEndpoint()).isEqualTo("/jwks");
 		assertThat(settings.getTokenRevocationEndpoint()).isEqualTo("/revoke");
 		assertThat(settings.getTokenIntrospectionEndpoint()).isEqualTo("/introspect");
+		assertThat(settings.getPushedAuthorizationRequestEndpoint()).isEqualTo("/par");
 		assertThat(settings.getOidcLogoutEndpoint()).isEqualTo("/logout");
 		assertThat(settings.getOidcClientRegistrationEndpoint()).isEqualTo("/register");
 		assertThat(settings.getOidcUserInfoEndpoint()).isEqualTo("/user");

diff --git a/...utoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesTests.java b/...utoconfigure/security/oauth2/server/servlet/OAuth2AuthorizationServerPropertiesTests.java
@@ -29,6 +29,7 @@
  * Tests for {@link OAuth2AuthorizationServerProperties}.
  *
  * @author Steve Riesenberg
+ * @author Florian Lemaire
  */
 class OAuth2AuthorizationServerPropertiesTests {
 
@@ -85,6 +86,7 @@ void defaultEndpointPropertiesMatchBuilderDefaults() {
 		assertThat(properties.getJwkSetUri()).isEqualTo(defaults.getJwkSetEndpoint());
 		assertThat(properties.getTokenRevocationUri()).isEqualTo(defaults.getTokenRevocationEndpoint());
 		assertThat(properties.getTokenIntrospectionUri()).isEqualTo(defaults.getTokenIntrospectionEndpoint());
+		assertThat(properties.getPushedAuthorizationRequestUri()).isEqualTo(defaults.getPushedAuthorizationRequestEndpoint());
 		OAuth2AuthorizationServerProperties.OidcEndpoint oidc = properties.getOidc();
 		assertThat(oidc.getLogoutUri()).isEqualTo(defaults.getOidcLogoutEndpoint());
 		assertThat(oidc.getClientRegistrationUri()).isEqualTo(defaults.getOidcClientRegistrationEndpoint());

diff --git a/...sts/spring-boot-smoke-test-oauth2-authorization-server/src/main/resources/application.yml b/...sts/spring-boot-smoke-test-oauth2-authorization-server/src/main/resources/application.yml
@@ -9,6 +9,7 @@ spring:
           jwk-set-uri: /jwks
           token-revocation-uri: /revoke
           token-introspection-uri: /introspect
+          pushed-authorization-request-uri: /par
           oidc:
             logout-uri: /logout
             client-registration-uri: /register

diff --git a/...rc/test/java/smoketest/oauth2/server/SampleOAuth2AuthorizationServerApplicationTests.java b/...rc/test/java/smoketest/oauth2/server/SampleOAuth2AuthorizationServerApplicationTests.java
@@ -70,6 +70,7 @@ void openidConfigurationShouldAllowAccess() {
 		assertThat(config.getTokenRevocationEndpoint()).hasToString("https://provider.com/revoke");
 		assertThat(config.getEndSessionEndpoint()).hasToString("https://provider.com/logout");
 		assertThat(config.getTokenIntrospectionEndpoint()).hasToString("https://provider.com/introspect");
+		assertThat(config.getPushedAuthorizationRequestEndpoint()).hasToString("https://provider.com/par");
 		assertThat(config.getUserInfoEndpoint()).hasToString("https://provider.com/user");
 		// OIDC Client Registration is disabled by default
 		assertThat(config.getClientRegistrationEndpoint()).isNull();
@@ -88,6 +89,7 @@ void authServerMetadataShouldAllowAccess() {
 		assertThat(config.getJwkSetUrl()).hasToString("https://provider.com/jwks");
 		assertThat(config.getTokenRevocationEndpoint()).hasToString("https://provider.com/revoke");
 		assertThat(config.getTokenIntrospectionEndpoint()).hasToString("https://provider.com/introspect");
+		assertThat(config.getPushedAuthorizationRequestEndpoint()).hasToString("https://provider.com/par");
 		// OIDC Client Registration is disabled by default
 		assertThat(config.getClientRegistrationEndpoint()).isNull();
 	}