JWT vs Opaque Access Tokens: Use Both With Spring Boot

JWT vs Opaque Access Tokens: Use Both With Spring Boot

Tutorial: Learn how to use JWT and opaque access with Spring Boot.


Hi, a small note on the configuration described in the video,
starting spring boot 2.4, you need to add the openid scope into the
configuration like so:


This is because of the upgrade to spring security 5.4, which brings the change:

Refined ClientRegistrations to not default scopes to the OIDC scopes_supported attribute

in the What’s new section of spring
security’s reference documentation

Brian Demers

Good catch! I’ll update the post!

George Christman

When the frontend is using the PKCE flow and you have no client secret, how do you validate the access_token with Spring Security?

Brian Demers

The /introspect endpoint doesn’t always require a client secret (it depends on the type of application you have setup). This page goes into more details: https://developer.okta.com/…

Does that answer your question?

David Pratt

Thanks for this excellent walkthrough. It was almost exactly what I was looking for. Using PKCE with Okta myself but still struggling. I don’t suppose this flow is built into Spring or coming soon? I tried to just leave the secret blank or out of my properties file but that did not suffice. Thanks!

Brian Demers

Spring has limited built in support for PKCE. If you don’t set a client-secret Spring Security will attempt to use PKCE (with an Auth Code flow, i.e. using .oauth2Login())

There is an outstanding issue to support PKCE for confidential clients with an auth code flow too