Support OAuth 2.0 Authorization Server

[jgrandja]

NOTE: Please see comment

The initial support for OAuth 2.0 Authorization Server will target the following features:

• OAuth 2.0 Authorization Code Grant
• OpenID Connect 1.0 (Authorization Code Flow)
• PKCE Support PKCE for Authorization Server #4943
• OAuth 2.0 Client Credentials Grant
• JWT Access Token format
• JWK Set Endpoint
• Opaque Access Token format
• OAuth 2.0 Token Revocation Provide support for OAuth 2.0 Token Revocation #6133

[chrylis]

I have repeated a particular implementation pattern enough times that I'm planning to develop a modular open-source auth-server solution that covers similar ground as Okta/the old Stormpath but has the control of in-house deployment and customized authentication steps/rules that have caused my clients to need an in-house solution. This is still in the planning stage, but I have a reasonably reliable pattern that I expect to follow.

As part of this, I am interested in working on the rewritten auth-server support in Spring Security 5. I have a good bit of experience with Spring Security OAuth2 and am familiar with the architectural principles as well as the places that work smoothly and the friction points. I'm up for doing as much of this particular module as needed, although I don't have direct experience with OICD or PKCE yet. I'm especially interested in helping to smooth out some of the currently difficult aspects of configuring the workflow such as performing per-user authorization checks.

[jgrandja]

@chrylis Thanks for getting in touch! We certainly can use the help and would welcome your contributions. I'm really interested to learn more about your interest/experience and see if we can work together to start this up. I'm thinking a zoom meeting might be the best bet to introduce ourselves and possibly come up with some sort of plan. What are your thoughts?