Spring Authorization Server will use InMemoryOAuth2*Service by default which is done by org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers.OAuth2ConfigurerUtils, and the document says:
instances in-memory and is recommended ONLY for development and testing.
Due to the states in-memory are not surviving after restarting and not shared across multiple instances for load balancing.
Spring Boot should auto-configure JdbcOAuth2AuthorizationService and JdbcOAuth2AuthorizationConsentService for production use, and introduce configuration properties for database schema initialization. Not sure JdbcRegisteredClientRepository should be included also.
Comment From: jgrandja
@quaff As documented in the JdbcOAuth2AuthorizationService javadoc:
This {@code OAuth2AuthorizationService} is a simplified JDBC implementation that MAY be used in a production environment. However, it does have limitations as it likely won't perform well in an environment requiring high throughput. The expectation is that the consuming application will provide their own implementation of {@code OAuth2AuthorizationService} that meets the performance requirements for its deployment environment.
Take note of text in bold. The JDBC implementations are meant to serve as a "template" for applications building their own implementations of OAuth2AuthorizationService, OAuth2AuthorizationConsentService and RegisteredClientRepository so I don't believe most applications are using these implementations as-is. Furthermore, not all deployments are using a relational backing store and could instead be using other types of structured data stores, e.g. Redis
Comment From: quaff
I understand, but it would be nice if user have choice, something is better than nothing.