Spring Security OAuth has officially terminated maintenance and has been removed from the official website

The Spring Security team officially announced the end of maintenance for Spring Security OAuth .

At present, the homepage of the official website has highlighted a reminder to stop maintenance completely.

The old Spring Security OAuth project has been terminated to version 2.5.2.RELEASE . The project will not undergo any iterations, including bug fixes. Before that, Fat Brother reminded that the project is about to stop maintenance, and interested students have already migrated.

Project documentation and code repositories are removed

At present, the official documentation of the project has been officially removed from spring.io , and the documentation has already pointed to 404 , which means that there is no documentation. Added documentation for OAuth2 authorization server Spring Authorization Server .

Not only was the documentation removed, but the project's repository was also moved to Spring 's out-of-date project repository spring-attic and marked as read-only .

The Spring Boot auto-configuration code repository of Spring Security OAuth has also been migrated, which means that Spring Boot -related auto-configuration has also been removed.

From this situation it seems that Spring Security OAuth is indeed dead. Is it not available? of course not.

Migration guide

This is the migration guide summarized by Fat Brother.

Dependency check

So how do you check if your project uses the old OAuth2 facility? Of course the dependencies are checked. Any of the dependencies in the following list are out of date and need to be migrated:

 <dependency>        
                <groupId>org.springframework.security.oauth</groupId>
                <artifactId>spring-security-oauth-parent</artifactId>
        </dependency>
        <dependency>        
                <groupId>org.springframework.security.oauth</groupId>
                <artifactId>spring-security-oauth</artifactId>
        </dependency>
        <dependency>        
                <groupId>org.springframework.security.oauth</groupId>
                <artifactId>spring-security-oauth2</artifactId>
        </dependency>
        <dependency>
             <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-jwt</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.security.oauth.boot</groupId>
            <artifactId>spring-security-oauth2-autoconfigure</artifactId>
        </dependency>

You can check if the dependency tree integrates the above dependencies by mvn dependency:tree .

New OAuth2 Alternative

Developers are required to master some knowledge of OAuth2.0 , OAuth2.1 , and OIDC 1.0 .

Spring Security 5 integrates two modules, OAuth2 Client and Resource Server . If there is a need for migration, it is recommended to migrate to the latest Spring Security 5.7.x to facilitate the transition to Spring 6 . Taking Spring Boot as an example, the first thing to do is to integrate Spring Security :

 <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>

It is recommended to use the latest version, which is currently 2.7.

Integrate OAuth2 Client dependencies

OAuth2 Client depends on Spring Security and cannot be used alone:

 <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-client</artifactId>
        </dependency>

Integrate Resource Server dependencies

Resource Server also depends on Spring Security and cannot be used alone:

 <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
        </dependency>

Integrate OAuth2 authorization server dependencies

At present, the OAuth2 authorization server in the Spring ecosystem is Spring Authorization Server , which is now production-ready. In the latest version 0.3.0 , the official documentation is officially launched on spring.io . What you need to know is that it must be used in Java 11 and above. It also acts as a Spring Security submodule and cannot be used alone:

 <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-authorization-server</artifactId>
            <version>0.3.0</version>
        </dependency>

Let me reveal that the Spring Boot Starter of the project will also be implemented soon.

study guide

Fat Brother has been systematically summarizing new OAuth2 related topics in recent months. Therefore, as long as you pay attention to Fat Brother, you can always get relevant knowledge and share practical dry goods. Of course, the fat brother also gave some references here:

• OAuth2 Framework : https://oauth.net
• OIDC 1.0 protocol : https://openid.net
• Spring Security : http://felord.cn
• New Spring Security OAuth2 : http://felord.cn

Project reference code DEMO :

• Spring Security 5 learning : https://gitee.com/felord/security-learning
• Spring Security OAuth2 Tutorial : https://github.com/NotFound403/spring-security-oauth2-tutorial
• Authorization Server Console Id Server : https://github.com/NotFound403/id-server
• Login extension : https://github.com/NotFound403/spring-security-login-extension

Summarize

The old Spring Security OAuth is out of date, so don't panic unless your architecture in this area needs to continue to iterate. However, with the launch of the new solution, the maintainability of the old solution will be greatly reduced, and it is necessary to migrate if conditions permit. Spring Cloud will also make some adjustments to accommodate the new architecture at some point in the future. Please continue to pay attention, we will bring relevant news in time.

关注公众号：Felordcn 获取更多资讯

Personal blog: https://felord.cn