spring-projects · addcontent · Apr 4, 2026
diff --git a/...b/configurers/oauth2/server/authorization/OAuth2ClientRegistrationEndpointConfigurer.java b/...b/configurers/oauth2/server/authorization/OAuth2ClientRegistrationEndpointConfigurer.java
@@ -17,7 +17,10 @@
 package org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization;
 
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.function.Consumer;
 
 import jakarta.servlet.http.HttpServletRequest;
@@ -74,6 +77,8 @@ public final class OAuth2ClientRegistrationEndpointConfigurer extends AbstractOA
 
 	private boolean openRegistrationAllowed;
 
+	private Set<String> allowedScopes;
+
 	/**
 	 * Restrict for internal use only.
 	 * @param objectPostProcessor an {@code ObjectPostProcessor}
@@ -195,6 +200,21 @@ public OAuth2ClientRegistrationEndpointConfigurer openRegistrationAllowed(boolea
 		return this;
 	}
 
+	/**
+	 * Sets the allowed scopes for client registration. When set, only the specified
+	 * scopes will be accepted during Dynamic Client Registration. If not set, any scope
+	 * value will be accepted.
+	 * @param allowedScopes the allowed scopes
+	 * @return the {@link OAuth2ClientRegistrationEndpointConfigurer} for further
+	 * configuration
+	 * @since 7.1
+	 */
+	public OAuth2ClientRegistrationEndpointConfigurer allowedScopes(String... allowedScopes) {
+		Assert.notEmpty(allowedScopes, "allowedScopes cannot be empty");
+		this.allowedScopes = new HashSet<>(Arrays.asList(allowedScopes));
+		return this;
+	}
+
 	@Override
 	void init(HttpSecurity httpSecurity) {
 		AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils
@@ -207,7 +227,7 @@ void init(HttpSecurity httpSecurity) {
 			.matcher(HttpMethod.POST, clientRegistrationEndpointUri);
 
 		List<AuthenticationProvider> authenticationProviders = createDefaultAuthenticationProviders(httpSecurity,
-				this.openRegistrationAllowed);
+				this.openRegistrationAllowed, this.allowedScopes);
 		if (!this.authenticationProviders.isEmpty()) {
 			authenticationProviders.addAll(0, this.authenticationProviders);
 		}
@@ -258,7 +278,7 @@ private static List<AuthenticationConverter> createDefaultAuthenticationConverte
 	}
 
 	private static List<AuthenticationProvider> createDefaultAuthenticationProviders(HttpSecurity httpSecurity,
-			boolean openRegistrationAllowed) {
+			boolean openRegistrationAllowed, Set<String> allowedScopes) {
 		List<AuthenticationProvider> authenticationProviders = new ArrayList<>();
 
 		OAuth2ClientRegistrationAuthenticationProvider clientRegistrationAuthenticationProvider = new OAuth2ClientRegistrationAuthenticationProvider(
@@ -269,6 +289,9 @@ private static List<AuthenticationProvider> createDefaultAuthenticationProviders
 			clientRegistrationAuthenticationProvider.setPasswordEncoder(passwordEncoder);
 		}
 		clientRegistrationAuthenticationProvider.setOpenRegistrationAllowed(openRegistrationAllowed);
+		if (allowedScopes != null) {
+			clientRegistrationAuthenticationProvider.setAllowedScopes(allowedScopes);
+		}
 		authenticationProviders.add(clientRegistrationAuthenticationProvider);
 
 		return authenticationProviders;

diff --git a/...web/configurers/oauth2/server/authorization/OidcClientRegistrationEndpointConfigurer.java b/...web/configurers/oauth2/server/authorization/OidcClientRegistrationEndpointConfigurer.java
@@ -17,7 +17,10 @@
 package org.springframework.security.config.annotation.web.configurers.oauth2.server.authorization;
 
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.function.Consumer;
 
 import jakarta.servlet.http.HttpServletRequest;
@@ -75,6 +78,8 @@ public final class OidcClientRegistrationEndpointConfigurer extends AbstractOAut
 
 	private AuthenticationFailureHandler errorResponseHandler;
 
+	private Set<String> allowedScopes;
+
 	/**
 	 * Restrict for internal use only.
 	 * @param objectPostProcessor an {@code ObjectPostProcessor}
@@ -182,6 +187,21 @@ public OidcClientRegistrationEndpointConfigurer errorResponseHandler(
 		return this;
 	}
 
+	/**
+	 * Sets the allowed scopes for client registration. When set, only the specified
+	 * scopes will be accepted during Dynamic Client Registration. If not set, any scope
+	 * value will be accepted.
+	 * @param allowedScopes the allowed scopes
+	 * @return the {@link OidcClientRegistrationEndpointConfigurer} for further
+	 * configuration
+	 * @since 7.1
+	 */
+	public OidcClientRegistrationEndpointConfigurer allowedScopes(String... allowedScopes) {
+		Assert.notEmpty(allowedScopes, "allowedScopes cannot be empty");
+		this.allowedScopes = new HashSet<>(Arrays.asList(allowedScopes));
+		return this;
+	}
+
 	@Override
 	void init(HttpSecurity httpSecurity) {
 		AuthorizationServerSettings authorizationServerSettings = OAuth2ConfigurerUtils
@@ -194,7 +214,8 @@ void init(HttpSecurity httpSecurity) {
 				PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.POST, clientRegistrationEndpointUri),
 				PathPatternRequestMatcher.withDefaults().matcher(HttpMethod.GET, clientRegistrationEndpointUri));
 
-		List<AuthenticationProvider> authenticationProviders = createDefaultAuthenticationProviders(httpSecurity);
+		List<AuthenticationProvider> authenticationProviders = createDefaultAuthenticationProviders(httpSecurity,
+				this.allowedScopes);
 		if (!this.authenticationProviders.isEmpty()) {
 			authenticationProviders.addAll(0, this.authenticationProviders);
 		}
@@ -245,7 +266,8 @@ private static List<AuthenticationConverter> createDefaultAuthenticationConverte
 		return authenticationConverters;
 	}
 
-	private static List<AuthenticationProvider> createDefaultAuthenticationProviders(HttpSecurity httpSecurity) {
+	private static List<AuthenticationProvider> createDefaultAuthenticationProviders(HttpSecurity httpSecurity,
+			Set<String> allowedScopes) {
 		List<AuthenticationProvider> authenticationProviders = new ArrayList<>();
 
 		OidcClientRegistrationAuthenticationProvider oidcClientRegistrationAuthenticationProvider = new OidcClientRegistrationAuthenticationProvider(
@@ -256,6 +278,9 @@ private static List<AuthenticationProvider> createDefaultAuthenticationProviders
 		if (passwordEncoder != null) {
 			oidcClientRegistrationAuthenticationProvider.setPasswordEncoder(passwordEncoder);
 		}
+		if (allowedScopes != null) {
+			oidcClientRegistrationAuthenticationProvider.setAllowedScopes(allowedScopes);
+		}
 		authenticationProviders.add(oidcClientRegistrationAuthenticationProvider);
 
 		OidcClientConfigurationAuthenticationProvider oidcClientConfigurationAuthenticationProvider = new OidcClientConfigurationAuthenticationProvider(

diff --git a/.../modules/ROOT/pages/servlet/oauth2/authorization-server/protocol-endpoints.adoc b/.../modules/ROOT/pages/servlet/oauth2/authorization-server/protocol-endpoints.adoc
@@ -730,6 +730,35 @@ The access token in a Client Registration request *REQUIRES* the OAuth2 scope `c
 [TIP]
 To allow open client registration (no access token in request), configure `OAuth2ClientRegistrationAuthenticationProvider.setOpenRegistrationAllowed(true)`.
 
+[[oauth2AuthorizationServer-oauth2-client-registration-endpoint-scope-validation]]
+=== Customizing Scope Validation
+
+By default, the OAuth2 Client Registration endpoint accepts any scope values in the registration request.
+It is recommended to configure the allowed scopes to restrict which scopes can be assigned to dynamically registered clients.
+
+[source,java]
+----
+@Bean
+public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
+	http
+		.oauth2AuthorizationServer((authorizationServer) ->
+			authorizationServer
+				.clientRegistrationEndpoint(clientRegistrationEndpoint ->
+                    clientRegistrationEndpoint
+                        .allowedScopes("openid", "profile", "email") // <1>
+				)
+		);
+
+	return http.build();
+}
+----
+<1> `allowedScopes()`: Restricts which scope values are accepted during client registration. Registration requests containing scopes not in this set will be rejected with an `invalid_scope` error.
+
+[IMPORTANT]
+When enabling Dynamic Client Registration, it is recommended to always configure `allowedScopes()` to prevent dynamically registered clients from requesting arbitrary scope values.
+
+For advanced scope validation logic, use `setRegisteredClientConverter()` to provide a custom `Converter<OAuth2ClientRegistration, RegisteredClient>` that performs the required validation.
+
 [[oauth2AuthorizationServer-oauth2-authorization-server-metadata-endpoint]]
 == OAuth2 Authorization Server Metadata Endpoint
 
@@ -1041,3 +1070,35 @@ The access token in a Client Registration request *REQUIRES* the OAuth2 scope `c
 
 [IMPORTANT]
 The access token in a Client Read request *REQUIRES* the OAuth2 scope `client.read`.
+
+[[oauth2AuthorizationServer-oidc-client-registration-endpoint-scope-validation]]
+=== Customizing Scope Validation
+
+By default, the OIDC Client Registration endpoint accepts any scope values in the registration request.
+It is recommended to configure the allowed scopes to restrict which scopes can be assigned to dynamically registered clients.
+
+[source,java]
+----
+@Bean
+public SecurityFilterChain authorizationServerSecurityFilterChain(HttpSecurity http) throws Exception {
+	http
+		.oauth2AuthorizationServer((authorizationServer) ->
+			authorizationServer
+                .oidc(oidc ->
+                    oidc
+                        .clientRegistrationEndpoint(clientRegistrationEndpoint ->
+                            clientRegistrationEndpoint
+                                .allowedScopes("openid", "profile", "email") // <1>
+                        )
+                )
+		);
+
+	return http.build();
+}
+----
+<1> `allowedScopes()`: Restricts which scope values are accepted during client registration. Registration requests containing scopes not in this set will be rejected with an `invalid_scope` error.
+
+[IMPORTANT]
+When enabling Dynamic Client Registration, it is recommended to always configure `allowedScopes()` to prevent dynamically registered clients from requesting arbitrary scope values.
+
+For advanced scope validation logic, use `setRegisteredClientConverter()` to provide a custom `Converter<OidcClientRegistration, RegisteredClient>` that performs the required validation.
diff --git a/...2/server/authorization/authentication/OAuth2ClientRegistrationAuthenticationProvider.java b/...2/server/authorization/authentication/OAuth2ClientRegistrationAuthenticationProvider.java
@@ -87,6 +87,8 @@ public final class OAuth2ClientRegistrationAuthenticationProvider implements Aut
 
 	private boolean openRegistrationAllowed;
 
+	private Set<String> allowedScopes;
+
 	/**
 	 * Constructs an {@code OAuth2ClientRegistrationAuthenticationProvider} using the
 	 * provided parameters.
@@ -200,6 +202,18 @@ public void setOpenRegistrationAllowed(boolean openRegistrationAllowed) {
 		this.openRegistrationAllowed = openRegistrationAllowed;
 	}
 
+	/**
+	 * Sets the allowed scopes for client registration. When set, only the specified
+	 * scopes will be accepted during Dynamic Client Registration. If not set, any scope
+	 * value will be accepted.
+	 * @param allowedScopes the {@code Set} of allowed scopes
+	 * @since 7.1
+	 */
+	public void setAllowedScopes(Set<String> allowedScopes) {
+		Assert.notNull(allowedScopes, "allowedScopes cannot be null");
+		this.allowedScopes = allowedScopes;
+	}
+
 	private OAuth2ClientRegistrationAuthenticationToken registerClient(
 			OAuth2ClientRegistrationAuthenticationToken clientRegistrationAuthentication,
 			@Nullable OAuth2Authorization authorization) {
@@ -210,6 +224,14 @@ private OAuth2ClientRegistrationAuthenticationToken registerClient(
 					OAuth2ClientMetadataClaimNames.REDIRECT_URIS);
 		}
 
+		if (this.allowedScopes != null) {
+			Set<String> requestedScopes = clientRegistrationAuthentication.getClientRegistration().getScopes();
+			if (!CollectionUtils.isEmpty(requestedScopes) && !this.allowedScopes.containsAll(requestedScopes)) {
+				throwInvalidClientRegistration(OAuth2ErrorCodes.INVALID_SCOPE,
+						OAuth2ClientMetadataClaimNames.SCOPE);
+			}
+		}
+
 		if (this.logger.isTraceEnabled()) {
 			this.logger.trace("Validated client registration request parameters");
 		}

diff --git a/...erver/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProvider.java b/...erver/authorization/oidc/authentication/OidcClientRegistrationAuthenticationProvider.java
@@ -103,6 +103,8 @@ public final class OidcClientRegistrationAuthenticationProvider implements Authe
 
 	private PasswordEncoder passwordEncoder;
 
+	private Set<String> allowedScopes;
+
 	/**
 	 * Constructs an {@code OidcClientRegistrationAuthenticationProvider} using the
 	 * provided parameters.
@@ -208,6 +210,18 @@ public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
 		this.passwordEncoder = passwordEncoder;
 	}
 
+	/**
+	 * Sets the allowed scopes for client registration. When set, only the specified
+	 * scopes will be accepted during Dynamic Client Registration. If not set, any scope
+	 * value will be accepted.
+	 * @param allowedScopes the {@code Set} of allowed scopes
+	 * @since 7.1
+	 */
+	public void setAllowedScopes(Set<String> allowedScopes) {
+		Assert.notNull(allowedScopes, "allowedScopes cannot be null");
+		this.allowedScopes = allowedScopes;
+	}
+
 	private OidcClientRegistrationAuthenticationToken registerClient(
 			OidcClientRegistrationAuthenticationToken clientRegistrationAuthentication,
 			OAuth2Authorization authorization) {
@@ -234,6 +248,14 @@ private OidcClientRegistrationAuthenticationToken registerClient(
 					OidcClientMetadataClaimNames.TOKEN_ENDPOINT_AUTH_METHOD);
 		}
 
+		if (this.allowedScopes != null) {
+			Set<String> requestedScopes = clientRegistrationRequest.getScopes();
+			if (!CollectionUtils.isEmpty(requestedScopes) && !this.allowedScopes.containsAll(requestedScopes)) {
+				throwInvalidClientRegistration(OAuth2ErrorCodes.INVALID_SCOPE,
+						OidcClientMetadataClaimNames.SCOPE);
+			}
+		}
+
 		if (this.logger.isTraceEnabled()) {
 			this.logger.trace("Validated client registration request parameters");
 		}