AuthorizationServerConfigurerAdapter is deprecated
Solution 1
Spring Security OAuth2 project is currently deprecated and Spring Security team has decided to no longer provide support for authorization servers. They are going to reconsider this decision, but nothing is known at the moment, and I would advise you to consider other solutions, for example, Keycloak.
15/04/2020: A new Spring Authorization Server is announced.
It is a community-driven project led by the Spring Security team and is focused on delivering Authorization Server support to the Spring community.
07/05/2020: End-of-Life for Spring Security OAuth have been clarified.
To that end, the plan is to provide patch and security fixes for the 2.4.x and 2.5.x line until May 2021. Additionally, security fixes will be supported for the 2.5.x line until May 2022, at which point the project will have reached end-of-life. The same end-of-life timeline applies to the Spring Boot 2 auto-configuration project.
Solution 2
To work with AuthorizationServer (and AuthorizationServerConfigurerAdapter as well) in Spring Boot application you can use Spring Security OAuth Boot 2 Autoconfig. Despite it's in maintenance mode, it's updated actively (as of January 2020), its fresh version is 2.2.3 which is correspondent to Spring Boot version 2.2.3. Its reference guide says that:
Note that you need to specify the version for spring-security-oauth2-autoconfigure, since it is not managed by Spring Boot any longer, though it should match Boot’s version anyway
I used it in my demo project and everything seems OK. So, to work with OAuth2, JWT tokens, Authorization and Resource servers, all you need is to add it to your project:
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
<version>2.2.3.RELEASE</version>
</dependency>
UPDATE
Starting with version 2.3.0 the Spring Security OAuth Boot 2 Autoconfig (which have spring-security-oauth2:2.4.1 under the hood) is also deprecated.
But according to End-of-Life for Spring Security OAuth post in Spring Blog:
...the plan is to provide patch and security fixes for the 2.4.x and 2.5.x [spring-security-oauth2] line until May 2021. Additionally, security fixes will be supported for the 2.5.x line until May 2022, at which point the project will have reached end-of-life. The same end-of-life timeline applies to the Spring Boot 2 auto-configuration project.
Also a new Spring Authorization Server project was announced.
It is a community-driven project led by the Spring Security team and is focused on delivering Authorization Server support to the Spring community.
In Spring Security OAuth 2.0 Roadmap Update they recommend using Keycloak as an open-source implementation of the authorization server. So I think that the following links will be helpful:
Related videos on Youtube
Victory
I am an experienced Android developer. I have obtained a B.Tech degree from The ICFAI University Dehradun in Computer science & engineering. During my studies, I have been acquiring work experience in various fields and lately I have been concentrating on software development on the Android platform. I have in total over two years of active Android development experience. I have worked on numerous projects used by hundreds of thousands of people. Now I am focusing on Kotlin and Android-security.
Updated on July 06, 2022Comments
-
Victory almost 2 years
I'd like to use
Oauth2
authentication in spring rest API for login. But I got some warning likeAuthorizationServerConfigurerAdapter is deprecated
and see the OAuth 2.0 Migration Guide for Spring Security 5.I checked there but not found a much migration guide. Can anyone please share the full example for this.
Thanks in advance...
-
Peter S. over 4 yearsI tried to downgrade the version of spring-security-oauth2 from 2.4.0.RELEASE to 2.3.8.RELEASE and it looks like it was marked as deprecated from 2.4.0.RELEASE. Both versions are from November -> maven repository . I would only guess if the migration guide for authorization server is still in progress.
-
-
Anar Sultanov over 4 yearsYou should not suggest people using a project that is currently deprecated.
-
JohanB over 4 yearsThis is the correct answer why
AuthorizationServerConfigurerAdapter
is depricated. Let's hope Spring will reconsider ... -
Cepr0 over 4 yearsI didn't suggest to use deprecated project.
spring-security-oauth2-autoconfigure
is not deprecated yet, and I warned that it's in maintenance mode. The question was about the possibility of usingAuthorizationServer
- I demonstrated this possibility. -
Kevin about 4 yearsDo you have any tutorial or resource to help migrating from old Spring-Security-OAuth2 to Open Source Authorization Server as Keycloak, Gluu?
-
Peter Penzov almost 4 yearsI'm also very interested what can be used for the latest Spring Security. Please share!
-
Anar Sultanov almost 4 years@Geany I wrote and published a post describing one of the migration options: sultanov.dev/blog/…
-
Anar Sultanov almost 4 years@PeterPenzov Keycloak as well as any other authorization server can be used with the latest Spring Security: baeldung.com/spring-boot-keycloak