Custom OAuth2 Grant Types in Spring Security – Mobile Password Grant Implementation

The article introduces the need for custom OAuth2 grant types beyond the four standard ones (authorization_code, implicit, client_credentials, password) because real‑world scenarios often require logins such as WeChat, QQ, mobile‑SMS, captcha, or email verification.

To add a new grant type, you must implement three core components in Spring Security:

TokenGranter – decides which grant type to process based on the grant_type request parameter.

AuthenticationProvider – performs the actual authentication logic.

AuthenticationToken – carries the credentials (e.g., mobile number and password) through the authentication flow.

Step 1: Custom UserDetailService – Define an interface SmsCodeUserDetailService with a method loadUserByMobile() and provide an implementation that queries user details from the database using the mobile number.

Step 2: Custom AuthenticationToken – Create MobilePasswordAuthenticationToken that stores the mobile number and password, similar to UsernamePasswordAuthenticationToken .

Step 3: Custom TokenGranter – Implement MobilePwdGranter whose GRANT_TYPE is set to mobile_pwd ; it builds the custom MobilePasswordAuthenticationToken and delegates to the authentication manager.

Step 4: Custom AuthenticationProvider – Implement MobilePasswordAuthenticationProvider to validate the mobile number and password against the data returned by SmsCodeUserDetailService .

Step 5: Register Provider in the IOC Container – Add the custom provider as a bean so that Spring can discover it during authentication.

Step 6: Global Security Configuration – Create SmsCodeSecurityConfig and reference it from the overall security configuration to activate the new grant type.

Step 7: Add to CompositeTokenGranter – Extend the AuthorizationServerConfig to include the new MobilePwdGranter in the CompositeTokenGranter collection.

Step 8: Database Configuration – Insert the custom grant type name into the authorized_grant_types column of the oauth_client_details table for the relevant client.

After completing these steps, the service can be tested by sending a token request with grant_type=mobile_pwd , mobile number, and password as parameters.

The article also provides links to the full source code on GitHub and invites readers to follow the public account for additional resources.