What is the replacement for the deprecated AuthorizationServer in Spring Security?

spring spring-boot spring-security spring-security-oauth2
23,753

The first thing to note is that Spring Security OAuth 2.4.0 officially deprecates all its classes.

The second thing is that according to the Spring Security - OAuth 2.0 Features Matrix - FAQ:

We are no longer planning on adding Authorization Server support to Spring Security.

One solution is to use an OAuth2 authorization server such as Gluu or Keycloak, but depending on your usage and on the degree of customization you have made in your authorization server this is certainly not straightforward.

Due to Spring community protests, there is also some hope that an authorization server will still be implemented in Spring Security. According to Josh Cummings on Github :

We'd like to thank everyone for your feedback on the decision to not support Authorization Server. Due to this feedback and some internal discussions, we are taking another look at this decision. We'll notify the community on any progress.

See also : Spring Security OAuth 2.0 Roadmap Update

== Update 5 March 2020 ==

To answer the question of Joseph: "Any issue if we continue using it?": For now, no specific issues, Spring Security OAuth is still maintained but this will probably not be the case in a near future. Citing the same blog post as above:

The 2.3.x line will reach EOL in March 2020. We will support the 2.4.x line at least one year after reaching feature parity.

To that end, with the release of Spring Security 5.2, we are strongly encouraging users to start migrating their legacy OAuth 2.0 client and resource server applications to the new support in Spring Security 5.2.

== Update 15 April 2020 ==

A brand new Spring Authorization Server is announced. You can find it on Github.

== Update 7 May 2020 ==

As announced on the Spring blog:

[...] the plan is to provide patch and security fixes for the Spring Security Oauth 2.4.x and 2.5.x line until May 2021. Additionally, security fixes will be supported for the 2.5.x line until May 2022, at which point the project will have reached end-of-life.

== Update 09 July 2021 ==

The new Spring Authorization Server 0.1.2 is now available. According to the comments of Joe Grandja, there is no definite timeline for a production ready version and the APIs are still evolving.

== Update 19 August 2021 ==

The first officially supported production-ready version, Spring Authorization Server 0.2.0, is available : Spring Authorization Server goes to production !

== Update 24 March 2022 ==

Spring Authorization Server 0.2.3 is now available, but there is still no feature parity with the Authorization Server from the deprecated Spring Security OAuth project. Completed features can be found in the Github wiki. Advancement can be followed with the ZenHub board.

== Update 1 June 2022 ==

The Spring Security OAuth and Spring Security OAuth Boot 2 auto-configuration projects have reached end of life. See official blog post.

Share:
23,753
Chloe
Author by

Chloe

Updated on August 21, 2021

Comments

  • Chloe
    Chloe over 2 years

    Spring Security 5.2.2 has incorporated Spring Security OAuth project, but not AuthorizationServer or ResourceServer. What are the replacements to AuthorizationServer in Spring Security 5.2.2?

    OAuth-2.0-Migration-Guide

    This document contains guidance for moving OAuth 2.0 Clients and Resource Servers from Spring Security OAuth 2.x to Spring Security 5.2.x. Since Spring Security doesn’t provide Authorization Server support, migrating a Spring Security OAuth Authorization Server is out of scope for this document.

    spring deprecation

  • Joseph
    Joseph about 4 years
    any issue if we continue using it?
  • Volkan Okçu
    Volkan Okçu almost 4 years
    @OrtomalaLokni I am using AuthorizationServer can you recommend to start to use KeyCloak? I have spring boot 2.3.0 and still not deprecated. But meybe i should start to use KeyCloak?
  • raven-king
    raven-king over 3 years
    At least the migration path is clear now... we were evaluating Keycloak which is pretty decent and has a good plugin system, however it was always a second choice compared to the flexibility of being able to customise with a custom Spring project. Good news!!
  • Sunchezz
    Sunchezz over 2 years
    thank you for continuously updating!!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Extract Currently Logged in User information from JWT token using Spring Security
Spring Boot OAuth2 - Could not obtain user details from token
How to overwrite Spring Cloud OAuth2 client autoconfiguration?
Handle UserRedirectRequiredException (A redirect is required to get the users approval)
Consider defining a bean of type 'org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository' in your configuration
Cannot instantiate interface org.springframework.context.ApplicationListener after adding spring-security-oauth2
Spring Security 5 : There is no PasswordEncoder mapped for the id "null"
AuthorizationServerConfigurerAdapter is deprecated
Why Spring Security permitAll() is not working with OAuth2.0?
Spring Boot OAuth2 Single Sign Off (Logout)