What is the replacement for the deprecated AuthorizationServer in Spring Security? What is the replacement for the deprecated AuthorizationServer in Spring Security? spring spring

What is the replacement for the deprecated AuthorizationServer in Spring Security?


spring spring-boot spring-security spring-security-oauth2

The first thing to note is that Spring Security OAuth 2.4.0 officially deprecates all its classes.

The second thing is that according to the Spring Security - OAuth 2.0 Features Matrix - FAQ:

We are no longer planning on adding Authorization Server support to Spring Security.

One solution is to use an OAuth2 authorization server such as Gluu or Keycloak, but depending on your usage and on the degree of customization you have made in your authorization server this is certainly not straightforward.

Due to Spring community protests, there is also some hope that an authorization server will still be implemented in Spring Security. According to Josh Cummings on Github :

We'd like to thank everyone for your feedback on the decision to not support Authorization Server. Due to this feedback and some internal discussions, we are taking another look at this decision. We'll notify the community on any progress.

See also : https://spring.io/blog/2019/11/14/spring-security-oauth-2-0-roadmap-update

== Update 5 March 2020 ==

To answer the question of Joseph: "Any issue if we continue using it?": For now, no specific issues, Spring Security OAuth is still maintained but this will probably not be the case in a near future. Citing the same blog post as above:

The 2.3.x line will reach EOL in March 2020. We will support the 2.4.x line at least one year after reaching feature parity.

To that end, with the release of Spring Security 5.2, we are strongly encouraging users to start migrating their legacy OAuth 2.0 client and resource server applications to the new support in Spring Security 5.2.

== Update 15 April 2020 ==

A brand new Spring Authorization Server is announced. You can find it on Github.

== Update 7 May 2020 ==

As announced on the Spring blog:

[...] the plan is to provide patch and security fixes for the Spring Security Oauth 2.4.x and 2.5.x line until May 2021. Additionally, security fixes will be supported for the 2.5.x line until May 2022, at which point the project will have reached end-of-life.

== Update 09 July 2021 ==

The new Spring Authorization Server 0.1.2 is now available. According to the comments of Joe Grandja, there is no definite timeline for a production ready version and the APIs are still evolving.

== Update 19 August 2021 ==

The first officially supported production-ready version, Spring Authorization Server 0.2.0, is available : https://spring.io/blog/2021/08/19/spring-authorization-server-goes-to-production

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last