The Spring Security team has officially announced that Spring Security OAuth has reached the end of its life with the termination of maintenance.

Spring Security team

The home page of the official website has now been highlighted to alert the complete cessation of maintenance.

home page of the official website

The old Spring Security OAuth project is terminated to 2.5.2.RELEASE version, and there will be no further iterations of the project, including Bug fixes. We have previously warned that the project will soon be discontinued for maintenance, and those who were paying attention have already migrated.

Project documentation and code repository removed

The official documentation for this project has now been officially removed from spring.io and the documentation has been pointed to 404, which is no longer even available. Documentation for the OAuth2 authorization server Spring Authorization Server has been added.

Spring Security Document

Not only was the documentation removed, but the project repository was also migrated to Spring’s expired project repository spring-attic and marked as read-only.

Spring Security OAuth repository has been migrated

The Spring Boot autoconfiguration code repository for Spring Security OAuth was also migrated, meaning that Spring Boot-related autoconfigurations were also removed.

Spring Security OAuth2 Boot repository is migrated

From this situation it seems that about Spring Security OAuth is indeed dead. Is there nothing else available? Of course not.

Migration Guide

Dependency checking

So how do you check if your project is using the old OAuth2 facility? By performing a dependency check, of course. The following list of dependencies on any version are out of date and need to be migrated.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
<dependency>  
    <groupId>org.springframework.security.oauth</groupId>
    <artifactId>spring-security-oauth-parent</artifactId>
</dependency>
<dependency>  
    <groupId>org.springframework.security.oauth</groupId>
    <artifactId>spring-security-oauth</artifactId>
</dependency>
<dependency>  
    <groupId>org.springframework.security.oauth</groupId>
    <artifactId>spring-security-oauth2</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-jwt</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security.oauth.boot</groupId>
    <artifactId>spring-security-oauth2-autoconfigure</artifactId>
</dependency>

You can check if the dependency tree integrates the above dependencies by using mvn dependency:tree.

New OAuth2 alternative

Requires some knowledge of OAuth2.0, OAuth2.1, OIDC 1.0 from the developer.

Two modules OAuth2 Client and Resource Server are integrated in Spring Security 5. If migration is required, it is recommended to migrate to the latest Spring Security 5.7.x to ease the transition to Spring 6. In the case of Spring Boot, the first step is to integrate Spring Security.

1
2
3
4
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

Here it is recommended to use the latest version, which is currently 2.7.

Integrating OAuth2 Client dependencies

OAuth2 Client depends on Spring Security and cannot be used alone.

1
2
3
4
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>

Integrating Resource Server dependencies

Resource Server also depends on Spring Security and cannot be used alone.

1
2
3
4
<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>

Integrating OAuth2 Authorization Server dependencies

The current OAuth2 authorization server in the Spring ecosystem is the Spring Authorization Server, which is now production-ready. In the latest 0.3.0 release, the official documentation is officially available on spring.io, and you need to know that it must be available in Java 11 and above. It is also available as a Spring Security submodule and cannot be used on its own.

1
2
3
4
5
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-authorization-server</artifactId>
    <version>0.3.0</version>
</dependency>

Summary

The old Spring Security OAuth is expired and there is really no need to panic unless you need to continue iterating on this aspect of your architecture. However, as new solutions become available, the old ones will be much less maintainable, so you should migrate if you can. Spring Cloud will also make some adjustments at some point in the future to accommodate the new architecture. Stay tuned, we’ll keep you posted.

Reference https://mp.weixin.qq.com/s/Axcudu293x_xLzjBaJQR3A