Spring Security 5.2.2 has incorporated Spring Security OAuth project, but not AuthorizationServer or ResourceServer. What are the replacements to AuthorizationServer in Spring Security 5.2.2?
This document contains guidance for moving OAuth 2.0 Clients and Resource Servers from Spring Security OAuth 2.x to Spring Security 5.2.x. Since Spring Security doesn’t provide Authorization Server support, migrating a Spring Security OAuth Authorization Server is out of scope for this document.
Best Answer
The first thing to note is that Spring Security OAuth 2.4.0 officially deprecates all its classes.
The second thing is that according to the Spring Security - OAuth 2.0 Features Matrix - FAQ:
One solution is to use an OAuth2 authorization server such as Gluu or Keycloak, but depending on your usage and on the degree of customization you have made in your authorization server this is certainly not straightforward.
Due to Spring community protests, there is also some hope that an authorization server will still be implemented in Spring Security. According to Josh Cummings on Github :
See also : https://spring.io/blog/2019/11/14/spring-security-oauth-2-0-roadmap-update
== Update 5 March 2020 ==
To answer the question of Joseph: "Any issue if we continue using it?": For now, no specific issues, Spring Security OAuth is still maintained but this will probably not be the case in a near future. Citing the same blog post as above:
== Update 15 April 2020 ==
A brand new Spring Authorization Server is announced. You can find it on Github.
== Update 7 May 2020 ==
As announced on the Spring blog:
== Update 09 July 2021 ==
The new Spring Authorization Server 0.1.2 is now available. According to the comments of Joe Grandja, there is no definite timeline for a production ready version and the APIs are still evolving.
== Update 19 August 2021 ==
The first officially supported production-ready version, Spring Authorization Server 0.2.0, is available : https://spring.io/blog/2021/08/19/spring-authorization-server-goes-to-production