Last checked and updated on 21 May 2026
What Is New in Spring Security 6.3
| Category | Highlights |
|---|---|
| New Features | OAuth2AuthorizedClientId getters, JWT decoder timeout defaults, identifier support for relying-party-registrations, simplified disabling of form-urlencoded client credentials. |
| Improvements | Enhanced global authentication logging, documentation hints for GrantedAuthorityDefaults, clearer Kotlin DSL import guidance, updated OIDC logout docs. |
| Bug Fixes | Session is no longer invalidated when its registration is refreshed, corrected MethodAuthorizationDeniedPostProcessor Javadoc, OIDC logout navigation fixed, RequestCacheAwareFilter documentation corrected. |
How does Spring Security 6.3 improve OAuth2 client handling?
Spring Security 6.3 adds concrete getters to OAuth2AuthorizedClientId and lets you specify an identifier for relying-party-registrations elements.
- New getters expose clientId, principalName, and registrationId without reflection.
- You can now declare
<relying-party-registrations id="my-id">...</relying-party-registrations>to reference a specific registration in configuration. - A dedicated PR simplifies disabling the default
application/x-www-form-urlencodedencoding for client ID and secret, allowing you to send them as JSON or plain text.
In practice this means less boilerplate when you need to look up an authorized client programmatically and tighter control over how credentials are transmitted.
What are the new timeout defaults for JWT decoders?
Spring Security 6.3 now applies sensible timeout defaults to all JwtDecoder instances.
The decoder will wait up to 30 seconds for a response from the JWK Set endpoint and will close idle connections after 60 seconds. These defaults can be overridden with the builder API, for example JwtDecoder.withJwkSetUri(uri).jwkSetCacheDuration(Duration.ofSeconds(10)).build().
This matters if your application runs in environments with intermittent network latency; the defaults protect you from hanging threads while still giving you an easy override path.
How have session management and authentication logging changed?
The release fixes a bug that caused the current HTTP session to be invalidated when its SecurityContext was refreshed.
- Concurrent login flows now preserve the original session, avoiding unexpected logout events.
- Global authentication events are logged with richer context, including the authentication provider name and the decision outcome.
Most teams will notice smoother single-sign-on experiences and clearer audit trails when troubleshooting authentication issues.
What documentation updates should developers be aware of?
Spring Security 6.3 adds several documentation improvements that directly affect configuration.
- A hint now clarifies that
GrantedAuthorityDefaultsshould be declared as an infrastructure bean. - Kotlin DSL import requirements are explicitly listed, preventing compile-time surprises.
- The OIDC logout section is now correctly displayed in the navigation bar, and the
RequestCacheAwareFilterdescription has been fixed.
These updates reduce the need to search external resources and help new developers adopt best-practice configurations faster.
Frequently Asked Questions
Does Spring Security 6.3 introduce breaking changes for existing OAuth2 client configurations?
No, the new getters and identifier support are additive and do not require changes to existing XML or Java config.
How can I customize JWT decoder timeout values in 6.3?
You can use the JwtDecoder builder, for example JwtDecoder.withJwkSetUri(uri).jwkSetCacheDuration(Duration.ofSeconds(10)).build().
What is the impact of the session invalidation bug fix on concurrent login scenarios?
Sessions are no longer destroyed when the security context is refreshed, so users stay logged in during token refreshes.
Are there any new beans I need to declare for GrantedAuthorityDefaults?
You should declare GrantedAuthorityDefaults as an infrastructure bean to control the default role prefix.
How do I disable form-urlencoded encoding for client ID and secret in the new release?
Set the client authentication method to client_secret_basic or client_secret_jwt in your OAuth2 client registration.
Is there any change to the way OIDC logout is exposed in the UI?
The OIDC logout page is now correctly linked in the navigation bar, making it discoverable without custom routing.