AuthorizationServerConfigurerAdapter is deprecated

spring spring-boot spring-security oauth-2.0 spring-security-oauth2
12,699

Solution 1

Spring Security OAuth2 project is currently deprecated and Spring Security team has decided to no longer provide support for authorization servers. They are going to reconsider this decision, but nothing is known at the moment, and I would advise you to consider other solutions, for example, Keycloak.

15/04/2020: A new Spring Authorization Server is announced.

It is a community-driven project led by the Spring Security team and is focused on delivering Authorization Server support to the Spring community.

07/05/2020: End-of-Life for Spring Security OAuth have been clarified.

To that end, the plan is to provide patch and security fixes for the 2.4.x and 2.5.x line until May 2021. Additionally, security fixes will be supported for the 2.5.x line until May 2022, at which point the project will have reached end-of-life. The same end-of-life timeline applies to the Spring Boot 2 auto-configuration project.

Solution 2

To work with AuthorizationServer (and AuthorizationServerConfigurerAdapter as well) in Spring Boot application you can use Spring Security OAuth Boot 2 Autoconfig. Despite it's in maintenance mode, it's updated actively (as of January 2020), its fresh version is 2.2.3 which is correspondent to Spring Boot version 2.2.3. Its reference guide says that:

Note that you need to specify the version for spring-security-oauth2-autoconfigure, since it is not managed by Spring Boot any longer, though it should match Boot’s version anyway

I used it in my demo project and everything seems OK. So, to work with OAuth2, JWT tokens, Authorization and Resource servers, all you need is to add it to your project:

    <dependency>
        <groupId>org.springframework.security.oauth.boot</groupId>
        <artifactId>spring-security-oauth2-autoconfigure</artifactId>
        <version>2.2.3.RELEASE</version>
    </dependency>

My demo project.

UPDATE

Starting with version 2.3.0 the Spring Security OAuth Boot 2 Autoconfig (which have spring-security-oauth2:2.4.1 under the hood) is also deprecated.

But according to End-of-Life for Spring Security OAuth post in Spring Blog:

...the plan is to provide patch and security fixes for the 2.4.x and 2.5.x [spring-security-oauth2] line until May 2021. Additionally, security fixes will be supported for the 2.5.x line until May 2022, at which point the project will have reached end-of-life. The same end-of-life timeline applies to the Spring Boot 2 auto-configuration project.

Also a new Spring Authorization Server project was announced.

It is a community-driven project led by the Spring Security team and is focused on delivering Authorization Server support to the Spring community.

In Spring Security OAuth 2.0 Roadmap Update they recommend using Keycloak as an open-source implementation of the authorization server. So I think that the following links will be helpful:

Share:
12,699

Related videos on Youtube

Victory
Author by

Victory

I am an experienced Android developer. I have obtained a B.Tech degree from The ICFAI University Dehradun in Computer science &amp; engineering. During my studies, I have been acquiring work experience in various fields and lately I have been concentrating on software development on the Android platform. I have in total over two years of active Android development experience. I have worked on numerous projects used by hundreds of thousands of people. Now I am focusing on Kotlin and Android-security.

Updated on July 06, 2022

Comments

  • Victory
    Victory almost 2 years

    I'd like to use Oauth2 authentication in spring rest API for login. But I got some warning like AuthorizationServerConfigurerAdapter is deprecated and see the OAuth 2.0 Migration Guide for Spring Security 5.

    class docs

    I checked there but not found a much migration guide. Can anyone please share the full example for this.

    Thanks in advance...

    • Peter S.
      Peter S. over 4 years
      I tried to downgrade the version of spring-security-oauth2 from 2.4.0.RELEASE to 2.3.8.RELEASE and it looks like it was marked as deprecated from 2.4.0.RELEASE. Both versions are from November -> maven repository . I would only guess if the migration guide for authorization server is still in progress.
  • Anar Sultanov
    Anar Sultanov over 4 years
    You should not suggest people using a project that is currently deprecated.
  • JohanB
    JohanB over 4 years
    This is the correct answer why AuthorizationServerConfigurerAdapter is depricated. Let's hope Spring will reconsider ...
  • Cepr0
    Cepr0 over 4 years
    I didn't suggest to use deprecated project. spring-security-oauth2-autoconfigure is not deprecated yet, and I warned that it's in maintenance mode. The question was about the possibility of using AuthorizationServer - I demonstrated this possibility.
  • Kevin
    Kevin about 4 years
    Do you have any tutorial or resource to help migrating from old Spring-Security-OAuth2 to Open Source Authorization Server as Keycloak, Gluu?
  • Peter Penzov
    Peter Penzov almost 4 years
    I'm also very interested what can be used for the latest Spring Security. Please share!
  • Anar Sultanov
    Anar Sultanov almost 4 years
    @Geany I wrote and published a post describing one of the migration options: sultanov.dev/blog/…
  • Anar Sultanov
    Anar Sultanov almost 4 years
    @PeterPenzov Keycloak as well as any other authorization server can be used with the latest Spring Security: baeldung.com/spring-boot-keycloak

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Spring Boot OAuth2 - Could not obtain user details from token
Extract Currently Logged in User information from JWT token using Spring Security
OAUTH2 spring Error creating bean with name 'springSecurityFilterChain'
spring boot oauth2 with jdbc token store gives oauth_access_token relation doesn't exist
How to overwrite Spring Cloud OAuth2 client autoconfiguration?
Handle UserRedirectRequiredException (A redirect is required to get the users approval)
Real Time examples for Oauth2 Grant Types and Good document, example for Oauth2 with Spring MVC
Consider defining a bean of type 'org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository' in your configuration
Cannot instantiate interface org.springframework.context.ApplicationListener after adding spring-security-oauth2
Spring Boot + Oauth2 client credentials